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ABSTRACT 


This  thesis  considers  the  effects  of  cyber  operations  on  kinetic  warfare,  by  exploring  and 
building  on  two  recently  proposed  extensions  to  traditional  Lanchester  models  of  combat. 
In  one  model,  we  consider  instantaneous  changes  to  kinetic  fighting  capability  resulting, 
for  example,  from  the  disruption  or  restoration  of  communications  or  other  supporting 
cyber  systems.  Such  changes  create  discontinuous  shocks  in  the  overall  combat  dynamics 
and  can  dramatically  affect  the  outcome  of  a  battle.  In  the  second  model,  we  represent 
cyber  operations  as  a  continuous  process  of  degradation  and  recovery  in  fighting 
capability  based  on  the  dynamics  of  epidemic  spread.  By  using  analytical  and  numerical 
approaches,  we  obtain  insights  about  the  effect  of  cyber  operations  on  battle  duration  and 
attrition,  how  cyber  operations  can  affect  victory  conditions,  and  tradeoffs  in  the 
allocation  of  limited  resources  to  cyber  operations  and  kinetic  operations.  Building  on  a 
common  model  framework,  we  develop  several  additional  models  that  can  be  used  to 
investigate  specific  aspects  of  cyber  operations  on  kinetic  combat. 
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EXECUTIVE  SUMMARY 


“Cyber  operations”  is  topie  of  inereasing  importanee  to  the  United  States  and  eountries 
all  over  the  world.  The  impaets  of  cyber  operations  on  conventional  kinetic  battles  are  an 
area  of  interest.  These  operations  can  be  used  to  decrease  fighting  capabilities  of  an 
adversary.  And  unlike  the  study  of  traditional  warfare,  there  are  no  well-accepted  models 
for  these  phenomena.  But,  the  mathematical  models  for  cyber  operations  can  give 
insights  that  help  strategic  decisions  to  generate  tactical  approaches.  These  models  can 
also  be  used  in  the  efficient  allocation  of  resources. 

This  thesis  is  based  on  Lanchester  equations  as  the  main  model  of  combat. 
Specifically,  we  build  upon  two  recent  efforts  that  use  modified  versions  of  Lanchester 
equations  to  study  the  effect  of  cyber  operations  on  kinetic  battles.  In  this  representation, 
a  cyber  attack  does  not  kill  an  adversary,  but  it  affects  fighting  capability  as  represented 
by  the  attrition  coefficients  in  the  model.  The  cyber  attacker  benefits  from  this  action  by 
decreasing  the  attrition  rate  of  self. 

The  first  model  builds  on  the  work  of  Schramm  (2012),  in  which  instantaneous 
changes  to  kinetic  fighting  capability  result  from,  for  example,  the  disruption  or 
restoration  of  communications  or  other  supporting  cyber  systems.  Such  changes  create 
discontinuous  shocks  in  the  overall  combat  dynamics  and  can  dramatically  affect  the 
outcome  of  a  battle.  We  consider  a  model  in  which  one  side  suffers  a  first  shock  that 
degrades  fighting  capability  and  then  another  shock  that  restores  it.  We  explore  the 
impact  of  timing,  duration,  and  magnitude  of  the  shock  on  the  overall  battle  outcome. 

The  second  model  follows  the  work  of  Schramm  and  Gaver  (2013),  in  which  the 
dynamics  of  combat  are  mixed  with  the  dynamics  of  epidemic  spread.  Here,  cyber 
operations  are  represented  as  a  continuous  process  of  degradation  and  recovery  in 
fighting  capability.  Again,  the  analysis  focuses  on  the  rate  of  spread  and  recovery  and  its 
impact  on  battle  outcome. 

The  main  difference  between  these  two  models  is  that,  the  first  one  considers  a 
cyber  attack  at  an  instant  of  time,  while  the  second  model  considers  the  effect  of  the 


XI 


cyber  attack  as  a  process  evolving  over  time.  Both  of  these  assumptions  have  different 
applieations  and  eapture  different  aspects  of  cyber  operations. 

In  this  study,  we  also  propose  various  extensions  to  studied  models,  sueh  as 
adding  different  intrusion  times,  defense  capabilities  or  adding  a  second  type  of  infeetion 
to  the  system.  These  proposed  models  are  intended  to  represent  different  aspeets  of  eyber 
operations,  and  serve  as  a  basis  for  future  work  in  this  area. 
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I.  INTRODUCTION 


“Cyber”  is  a  new  term  in  our  lives,  a  term  that  is  ehanging  business,  soeial 
relations,  polities,  and  art  as  well  as  seeurity-related  topies.  The  use  of  the  prefix  “eyber” 
was  first  popularized  by  Norbert  Wiener  (1965)  through  his  book  Cybernetics,  or  Control 
and  Communication  in  the  Animal  and  the  Machine.  More  reeently,  this  prefix  has  been 
assoeiated  broadly  with  the  interfaee  between  man  and  maehine.  The  Merriam-Webster 
Dictionary  defines  eyber  as  “of,  relating  to,  or  involving  eomputers  or  eomputer  networks 
(as  the  Internet).” 

A.  THE  GROWING  IMPORTANCE  OF  CYBER  SECURITY 

“Cyber  operations”  is  topie  of  inereasing  importanee  to  the  United  States  and 
eountries  all  over  the  world.  Over  the  last  several  years,  eoneerns  over  the  effeets  of  eyber 
seeurity,  in  partieular,  were  in  the  spotlight.  For  example:  in  2008,  President  Bush 
launehed  the  Comprehensive  National  Cyber  Seeurity  Initiative.  The  North  Atlantie 
Treaty  Organization  Cooperative  Cyber  Defenee  Centre  of  Exeellenee  (NATO  CCD  COE) 
was  formally  established  in  2008  in  order  to  enhanee  NATO’s  eyber  defense  eapability.  In 
2009,  President  Obama  direeted  a  “elean  slate”  Cyberspaee  Poliey  Review,  whieh 
eonsiders  “strategy,  poliey,  and  standards  regarding  the  seeurity  of  and  operations  in 
eyberspaee,  and  eneompasses  the  full  range  of  threat  reduetion,  vulnerability  reduetion, 
deterrenee,  international  engagement,  ineident  response,  resilieney,  and  reeovery  polieies 
and  aetivities,  ineluding  eomputer  network  operations,  information  assuranee,  law 
enforeement,  diplomaey,  military,  and  intelligenee  missions  as  they  relate  to  the  seeurity 
and  stability  of  the  global  information  and  eommunieations  infrastrueture”  (White  House, 
2009).  This  review  reeommended  keeping  eyber  seeurity  a  top  priority  for  the  President. 
In  2010,  the  “Cyber  domain”  was  deelared  as  the  fifth  domain  of  battleground  for  the 
United  States  (Eynn,  The  Economist,  2010).  Reeently,  President  Obama  stated  eyber 
seeurity  is  at  the  top  of  the  list  of  priorities  for  the  United  States  (Obama,  2013). 
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The  main  reason  for  this  sharp  increase  in  the  importance  of  cyber-related  issues  is 
our  increased  dependency  on  electronics.  The  development  of  electronic  devices  and 
digital  networks  has  been  primarily  for  new  functionality,  convenience,  and  cost  savings. 
In  most  cases  security  has  not  been  an  important  issue  in  the  design  until  there  is  a  cyber- 
related  accident  or  an  intentional  breach,  known  as  a  cyber  security  incident.  With 
increased  dependency  on  electronics,  security  gaps  have  become  even  wider. 

A  second  reason  for  greater  attention  to  cyber-related  concerns  is  the  increase  in 
cyber  security  incidents.  In  2011,  Symantec  reported  that  over  5.5  billion  attacks  were 
blocked,  nearly  5,000  new  vulnerabilities  were  identified,  and  an  average  breach  exposed 
1.1  million  identities,  in  computer  systems  all  over  the  world  (Symantec,  2012).  Further, 
over  400  million  unique  variants  of  malware  attempted  to  take  advantage  of  those 
vulnerabilities;  with  the  number  of  malware  variants  40%  higher  than  in  2010.  According 
to  a  Symantec  report  in  2014,  there  were  215  significant  incidents  of  identity  theft  in  2013 
and  the  average  number  of  exposed  identities  increased  to  1.6  million  identities  per 
breach.  Moreover,  70%  of  these  identities  included  real  names,  40%  included 
government-issued  social  security  numbers,  and  40%  included  dates  of  birth.  According  to 
the  same  report,  there  were  6436  cyber  vulnerabilities  identified  in  2013,  eight  of  which 
were  “zero-day”  vulnerabilities,  meaning  that  they  were  exploited  before  they  were  known 
by  cyber  security  managers  (Symantec,  2014). 

Another  reason  for  increased  attention  to  cyber  security  is  that  cyber  operations  are 
fundamentally  asymmetric.  Only  a  small  amount  of  resources  are  needed  to  create  and 
exploit  one’s  cyber  vulnerabilities.  As  noted  by  the  Defense  Science  Board  (2013),  for  as 
little  as  $40  up  to  $4,000  anyone  can  acquire  cyber  attack  tools.  With  such  a  low  barrier  to 
entry,  almost  anyone  can  exploit  any  known  and  uncorrected  vulnerabilities. 

In  the  current  operating  environment,  the  superiority  of  U.S.  military  systems  is 
critically  dependent  upon  increasingly  vulnerable  information  technologies.  The 
Department  of  Defense  (DOD)  seeks  new  techniques,  procedures,  and  technologies  to 
strengthen  this  link  in  the  chain. 
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Until  recently,  there  were  no  mathematical  models  for  cyber  operation  effects  on 
the  battleground.  In  2009,  the  U.S.  Department  of  Homeland  Security  published  the 
framework,  A  Roadmap  for  Cybersecurity  Research,  which  identified  1 1  challenging  and 
vital  problems  such  as  identity  management,  survivability  of  time  critical  systems,  insider 
threats,  and  combating  malware.  Another  well-known  study,  the  JASON  Report  The 
Science  of  Cyber-Security  (McMorrow,  JASON  DTIC  Document,  2010)  recommended 
that  all  types  of  analytical  approaches  should  be  considered,  and  it  suggested  a 
combination  of  models  from  various  other  sciences  such  as  physics,  biology,  and 
epidemiology.  In  2011,  the  DOD  Strategy  for  Operating  in  Cyberspace  (DOD,  2011) 
established  a  conceptual  framework  based  on  five  strategic  initiatives,  summarized  as: 
treat  cyberspace  as  an  operational  domain,  employ  new  defensive  concepts,  enhance  the 
government  partnership  with  industry,  establish  partnerships  with  allies,  invest  in  research 
and  development. 

For  a  more  detailed  report  on  the  commercial  aspects  of  cyber  operations  see 
Sommer  (2011),  which  discusses  a  report  by  Organization  for  Economic  Co-operation  and 
Development  (OECD)  titled  “Reducing  Systematic  Cybersecurity  Risks.”  Eor  a  detailed 
literature  review  on  military  concerns  related  to  cyber  operations  see  the  report  of  the 
Defense  Science  Board  in  2013  to  the  Department  of  Defense  titled  “Resilient  Military 
Systems  and  the  Advanced  Cyber  Threat”  (Defense  Science  Board,  2013). 

B,  SCOPE  AND  OBJECTIVES  OF  THIS  STUDY 

The  objective  in  this  thesis  is  to  study  the  essence  and  behavior  of  cyber  operation 
effects  on  combat.  The  scope  of  this  study  is  limited  to  the  description  and  exploration  of 
the  effects  of  cyber  operations  within  kinetic  battle,  in  order  to  give  descriptive  insights  of 
the  results  of  integrated  and  joint  cyber  operations. 

This  study  builds  on  two  recent  efforts  to  model  the  effects  of  cyber  operations  in 
kinetic  warfare.  Schramm  (2012)  proposes  a  mathematical  model  in  Lanchester  Models 
with  Discontinuities:  An  Application  to  Networked  Forces  to  represent  shock  effects  on 
networked  forces,  which  can  be  used  to  represent  the  results  of  cyber  operations.  This 
study  introduces  a  novel  twist  on  traditional  Eanchester  equations  (Eanchester,  1916) 
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describing  force-on-force  combat.  Specifically,  Schramm  considers  a  discontinuous 
“shock”  that  instantaneously  changes  attrition  coefficients  in  the  system  of  differential 
equations,  and  then  assesses  the  impact  of  this  change  on  the  outcome.  The  shock  may  be 
due  to  a  cyber  attack  which  results  in  decreased  effectiveness  of  the  force  being  cyber 
attacked.  The  cyber  attack  affects  the  opposing  force  permanently  to  the  end  of  the  battle. 
This  representation  naturally  leads  to  questions  about  the  timing  and  degradation  of 
fighting  capability:  how  much  weaker  can  a  force  become  and  still  win?  How  long  must  a 
cyber  attack  be  effective  to  result  in  a  kinetic  battle  victory? 

Following  this,  Schramm  and  Gaver  (2013)  propose  a  “mixed  epidemic  combat 
model”  that  models  cyber  attacks  as  variants  of  biological  infections,  which  affect  the 
kinetic  fighting  capability  of  the  opposing  force.  The  basic  scenario  is  as  follows:  A  Red 
force  kinetically  attacks  a  Blue  force  while  also  trying  to  infect  Blue's  electronic  devices 
with  a  cyber  attack  in  order  to  reduce  Blue's  defensive  power  and  offensive  power.  The 
Blue  force  attacks  Red  kinetically  only,  but  with  reduced  capability  because  of  infection. 
While  the  battle  goes  on.  Blue  forces  try  to  cure  the  cyber  infection  to  return  the  infected 
units  to  full  capability.  Thus,  the  cyber  attack  on  Blue  may  change  the  battle  outcome,  and 
even  if  Blue  were  the  dominant  power  before  being  affected  by  an  infection,  the  battle 
may  result  in  a  Red  victory. 

Following  the  work  of  Schramm  (2012)  we  assume  that  a  cyber  incident  can 
degrade  the  fighting  capability  of  a  force.  We  extend  the  model  by  representing  recovery 
of  the  degraded  force.  Results  from  this  model  provide  insights  about  the  effect  for 
kinetic  battle  of  the  time  of  the  cyber  attack  and  recovery,  and  supply  a  tool  to 
compare  the  metrics  of  a  cyber  incident  with  the  kinetic  battle. 

Following  the  lead  in  Schramm  and  Gaver  (2013),  in  this  thesis  we  assume  that 
cyber  operations  can  take  the  form  of  malware,  and  cyber  attacks  can  be  represented  as 
variants  of  biological  infections.  We  extend  the  mixed  epidemic  combat  model  to  a  two- 
sided  setting.  Results  from  this  model  provide  insights  into  the  tactical  use  of  cyber 
operations. 
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The  main  objective  of  the  models  is  to  explore  issues  related  to  how  cyber 
operations  affect  battle  duration,  how  cyber  operations  affect  victory  conditions,  and 
under  which  conditions  the  victorious  side  can  change  as  a  result  of  the  cyber 
operation.  Specific  measures  of  performances  include:  how  cyber  operations  affect  battle 
duration  and  attrition;  how  cyber  operations  affect  victory  conditions.  Other  questions  of 
interest  include  allocating  limited  resources  for  cyber  operations  and  kinetic  operations 
and  how  to  allocate  the  limited  resources  to  cyber  operations  and  kinetic  operations. 

C.  ORGANIZATION  OF  THIS  THESIS 

The  remainder  of  this  thesis  is  organized  as  follows.  Chapter  II  contains  a  literature 
review  of  studies  related  to  cyber  operations,  as  well  as  other  studies  involving  kinetic 
warfare  models  with  three  nature-inspired  models  and  cyber  operation  effects  on  kinetic 
warfare  models.  Chapter  III  introduces  the  first  model  about  cyber  operations  on  kinetic 
battles,  treating  cyber  operation  as  a  discrete  pulsed  effect.  We  extend  the  original  model 
by  modifying  the  model  for  recovery.  In  Chapter  IV,  we  introduce  the  original  cyber 
epidemic  combat  model,  propose  an  extended  two-sided  cyber  epidemic  combat  model, 
and  explore  the  proposed  model  for  different  aspects.  In  Chapter  V,  we  propose  new 
models  by  extending  the  assumptions  in  studied  models.  These  models  are  generated  to 
explore  specific  application  areas.  In  Chapter  VI,  we  conclude  the  thesis  by  giving  the 
insights  derived,  which  is  followed  by  our  operational  recommendations,  and  directing 
future  studies  for  appropriate  research  areas  to  fill  the  gaps.  In  the  appendices,  we  describe 
in  detail  the  steps  we  used  to  develop  the  proposed  model  and  some  proposed  formulation. 
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II.  BACKGROUND 


The  use  of  eyber  operations  in  military  eonfliet  is  now  more  than  30  years  old. 
Cyber  spaee  is  well-integrated  with  conventional  kinetic  combat  domains.  Cyber 
operations,  unlike  conventional  warfare,  can  be  applied  on  a  broader  scale.  All 
communication  systems,  radars,  missile  launchers,  and  high  tech  weapons  as  well  as 
infrastructure  networks,  financial  institutions,  electronic  media,  and  power  grids  belong  to 
the  cyber  domain.  All  of  these  systems  are  potential  targets  of  cyber  operations  (Cigital, 
2013).  To  illustrate  the  range  of  the  cyber  threat,  we  highlight  some  past  cyber  events  in 
the  following  section. 

A.  HISTORY  OF  CYBER  OPERATIONS 

In  1998,  the  first  step  for  a  cyberwar  in  a  real  kinetic  battle  was  recorded.  An 
information  operations  cell  was  established  by  NATO  to  electronically  attack  critical 
network  infrastructure  and  command  and  control  systems  in  the  Kosovo  war.  Because  of 
this,  the  air  campaign  operation  against  targets  in  Serbia  was  especially  successful 
throughout  the  78  days  of  operation  according  to  a  special  report  for  the  U.S.  Air  Force 
(Grant,  1999).  During  Operation  Allied  Force,  Serbian  forces  hacked  into  NATO  Internet 
pages,  erased  email  archives,  and  made  email  pages  unavailable  for  some  time  (Hancock, 
1999). 

In  2000,  in  an  operation  named  Moonlight  Maze  by  American  Intelligence,  U.S. 
officials  discovered  a  pattern  of  probing  of  computer  systems  at  the  Pentagon,  NASA,  the 
U.S.  Department  of  Energy,  private  universities,  and  research  labs.  This  attack  began  in 
March  1998  and  continued  for  nearly  two  years.  During  this  time,  vast  amounts  of  data 
consisting  of  research  and  development  secrets  were  stolen  and  sent  over  the  Internet  to 
Moscow  to  sell  to  the  highest  bidder.  Moreover,  according  to  the  testimony  of  James 
Adams,  CEO  of  Infrastructure  Defense,  Inc.,  the  commercial  value  of  stolen  information 
varied  from  tens  of  millions  of  dollars  to  hundreds  of  millions  of  dollars  (Adams,  2013). 
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Disturbingly,  some  of  the  most  sensitive  and  seeure  federally-owned  networks 
have  been  compromised.  In  2006,  the  U.S.  Naval  War  College  computer  network  was 
completely  inactive  for  some  time  because  of  the  cyber  intrusions  (Decker  and  Douglass, 
2011).  In  2007,  the  Oak  Ridge  National  Laboratory,  where  the  first  atomic  bomb  was 
produced,  was  attacked  by  a  highly  educated  group  who  are  allegedly  Chinese  (Decker 
and  Douglass,  2011),  in  series  of  cyber  attack  attempts  to  a  larger  penetration  of  U.S. 
national  security.  The  same  year,  a  document  was  leaked  about  an  internal  review  that 
reported  a  Chinese  military  cyber  attack  on  Pentagon  computer  networks,  including  the 
one  used  by  Defense  Secretary  Robert  Gates  (Decker  and  Douglass,  2011).  Also,  the  U.S. 
government  suffered  “an  espionage  Pearl  Harbor“  in  the  same  year,  in  which  an  unknown 
foreign  power  broke  into  some  of  the  high-tech  networks  of  the  military  agencies,  and 
stole  terabytes  of  information  (Shamah,  2013). 

Moreover,  cyber  attacks  have  targeted  U.S.  military  computer  systems  installed 
overseas.  In  2008,  a  hacking  incident  occurred  on  a  U.S.  military  facility  in  the  Middle 
East.  United  States  Deputy  Secretary  of  Defense  William  J.  Lynn  III  had  the  Pentagon 
release  a  document,  which  noted  that  “malicious  code”  on  a  USB  flash  drive  spread 
undetected  on  both  classified  and  unclassified  Pentagon  systems,  establishing  a  digital 
beachhead  from  which  data  could  be  transferred  to  servers  under  foreign  control.  “This 
was  the  most  significant  breach  of  U.S.  military  computers  ever  and  it  served  as  an 
important  wake-up  call,”  Lynn  wrote  in  an  article  for  Foreign  Affairs  (Lynn,  2010). 

In  2010,  for  the  first  time  the  United  States  publicly  warned  of  the  Chinese 
military’s  use  of  civilian  computer  experts  in  clandestine  cyber  attacks  aimed  at  American 
companies  and  government  agencies.  DOD  also  pointed  to  an  alleged  China-based 
computer  spying  network  dubbed  GhostNet  that  was  revealed  in  a  research  report  in  2009. 
The  DOD  stated:  “The  People’s  Liberation  Army  is  using  “information  warfare  units”  to 
develop  viruses  to  attack  enemy  computer  systems  and  networks,  and  those  units  include 
civilian  computer  professionals”  (DOD,  2009). 

The  U.S.,  of  course,  is  not  the  only  target  of  cyber  attacks.  In  2010,  a  specially 

designed  computer  virus,  Stuxnet,  was  revealed.  It  was  a  revolution  in  special  cyber 

weapons.  It  was  designed  to  spread  on  microchips,  which  means  any  electronic  device  that 
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is  not  a  computer.  It  spread  on  electronic  systems  mostly  in  Iran  to  deerease  the 
uneontrolled  nuclear  development,  and  it  destroyed  -1000  uranium  eentrifuges  out  of 
5000,  causing  a  capacity  decrease  of  20%  (Sanger,  2012). 

More  reeently,  attacks  have  beeome  more  damaging  and  more  foeused  on  specific 
weapons  development  programs.  In  2012,  aecording  to  a  report  prepared  for  the  DOD  by 
the  Defense  Scienee  Board,  Chinese  hackers  have  gained  aeeess  to  designs  of  more  than 
two  dozen  major  U.S.  weapons  systems.  The  Washington  Post  said  that  these  designs 
ineluded  combat  aircraft  and  ships,  missile  defense  systems  including  the  Patriot  missile 
system,  the  Navy’s  Aegis  ballistic  missile  defense  systems,  the  F/A-18  fighter  jet,  the  V- 
22  Osprey,  the  Black  Hawk  helicopter  and  the  F-35  Joint  Strike  Fighter  (Nakashima, 
2013). 

Equally  dangerous  are  attaeks  targeting  the  national  economy.  In  2012,  distributed 
denial  of  service  (DDoS)  attaeks  were  carried  out  against  the  New  York  Stoek  Exchange 
and  a  number  of  banks,  including  J.P.  Morgan  Chase.  Credit  for  these  attaeks  was  claimed 
by  a  hacktivist  group  called  the  Qassam  Cyber  Eighters,  which  have  labeled  the  attacks 
“Operation  Ababil.”  The  attacks  had  been  exeeuted  in  several  phases  and  were  restarted  in 
March  2013.  The  size  of  the  attacks  (65  gigabits/second)  is  more  consistent  with  a  state 
actor  than  with  a  typical  hactivist  DoS  attack  (-2  gigabits/  second)  (Gonsalves,  2012). 
Sueh  threats  are  not  reserved  for  the  U.S.  alone.  In  2013  an  attack  was  launched  against 
South  Korea.  A  logic  bomb  struck  machines  “and  wiped  the  hard  drives  and  master  boot 
records  of  at  least  three  banks  and  two  media  companies  simultaneously”  (Singel,  2010). 

Overall,  the  amount  of  malieious  eode  generated  over  the  world  is  increasing 
exponentially  (see  Eigure  1),  whieh  affeets  the  military  networks  as  well  as  infrastructure, 
government  and  supply  ehain  related  networks.  Moreover,  with  an  increased  dependency 
on  cyberspace,  the  complexity  of  the  tools  and  the  harmful  effects  of  these  infeeted  codes 
can  become  inereasingly  dangerous. 
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Beware  of  malware 

New  malicious-code  signatures  written  by  Symantec 
m 


Source:  Symantec 

Figure  1 .  New  types  of  malicious  codes  increased  dramatically  in  the  recent  years. 

The  units  are  in  millions  (from  The  Economist,  2010). 

B.  BUILDING  BLOCKS 

Lanchester  models  are  well-understood  ordinary  differential  equation  (ODE) 
models  to  explain  mutual  attrition  behaviors  in  combat. 

Cyber  warfare  is  not  a  well-understood  phenomenon,  and  does  not  have  a  single 
well-studied  and  commonly  accepted  mathematical  model.  We  study  two  different  models 
which  capture  different  aspects  of  cyber  warfare.  We  aim  to  explore  the  effect  of  recovery 
by  using  closed  form  Lanchester  models,  and  we  aim  to  capture  the  essence  of  “exploiting 
vulnerabilities  by  spreading  malicious  code”  behavior  of  cyber  operations  by  using  ODE 
models  of  disease  spread. 

This  section  reviews  the  basic  structure  and  terminology  for  each  model. 

The  combat  models  of  Schramm  (2012)  include  shock  effects,  which  change  some 
attributes  of  fighting  forces.  We  use  the  shock  effects  to  represent  cyber  effects  {cyber 
attack)  on  a  force,  which  change  the  fighting  capabilities  of  the  force.  Lighting  capabilities 
include  kinetic  capabilities  (kinetic  attack)  which  are  represented  by  Lanchester  aimed- 
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fire.  Attrition  is  a  result  of  kinetie  attack  only,  and  cyber  effects  do  not  cause  attrition.  We 
use  two  shock  effects  in  the  battle  one  representing  the  cyber  attack,  and  the  other 
representing  the  recovery  of  the  effects  of  the  cyber  attack.  We  refer  to  shock  time  as  the 
time  the  cyber  attack  (first  shock)  happens,  and  recovery  time  as  the  time  the  force 
recovers  (second  shock)  back  to  original  attributes.  We  use  two  opposing  forces  in  the 
model,  named  Red  force  (Z)  as  cyber  attacker,  and  Blue  force  (B)  as  cyber  defender,  unless 
stated  otherwise. 

Schramm  and  Gaver  (2013)  combines  kinetic  battle  models  (Lanchester  models) 
with  an  epidemiological  model  of  disease  progression  for  cyber  operations.  These  models 
represent  numbers  of  fighting  forces,  which  change  due  to  a  physical  loss  of  a  part  of  the 
force  {attrition).  Lanchester  models  use  attack  rate  (kinetic  attack  rate)  to  represent  the 
number  of  effective  shots  (or  kills)  on  the  adversary.  The  attack  rate  represents  not  only 
the  rate  of  fire  by  the  attacker,  but  also  represents  the  rate  of  successful  defense  (shielding) 
by  the  defender.  So,  the  attack  rate  of  Blue  (to  Red),  is  equivalent  to  the  attrition  rate  of 
Red.  Attrition  can  be  a  result  of  kinetic  combat  {kinetic  battle,  conventional  combat)  only, 
and  infection  can  be  a  result  of  cyber  operation  (cyber  attack)  only.  A  force  which  can 
conduct  an  offensive  cyber  operation  has  a  cyber  attack  capability.  A  force  which  has 
assets  and  procedures  {defensive  cyber  actions)  to  reduce  the  effect  of  a  cyber  attack,  has  a 
cyber  defensive  capability.  A  cyber  attack  may  cause  a  loss  of  capability  {cyber  infection, 
infection)  on  the  adversary,  and  cyber  defense  may  reduce  this  degrading  effect.  We 
assume  in  this  study  that  these  two  capabilities  go  side  by  side,  and  any  force  with  cyber 
attack  capability  also  has  cyber  defense  capability.  However,  one  cyber  capability  may  be 
stronger  than  the  other. 

The  term  infection  (disease)  used  in  this  study  is  a  broad  term,  which  can  be  used 
for  any  effect  that  reduces  a  force’s  warfighting  capabilities,  and  is  not  lethal.  In  this 
study,  this  effect  is  limited  to  cyber  malware.  It  can  be  defined  differently,  in  order  to 
model  different  effects.  We  use  infected  unit  to  describe  any  unit  affected  by  a  cyber 
attack.  This  type  of  infection  is  designed  to  spread  in  the  cyberspace,  using  system  gaps 
and  backdoors,  which  we  call  vulnerabilities.  A  detailed  definitions  list  for  technical  terms 
is  added  in  Appendix  A. 
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1. 


Combat  (Kinetic)  Models 


Lanchester  Models  are  the  main  combat  models  used  in  this  study.  We  limit  the 
models  to  Aimed-fire  and  Area-fire,  but  the  models  can  be  used  in  various  ways.  These 
models  use  differential  equations  to  describe  changes  in  the  surviving  force  levels  in  a 
combat.  Each  force  is  assumed  to  consist  of  homogeneous  units  in  terms  of  their 
geography  and  range.  For  each  force,  we  assume  that  we  can  calculate  an  overall  kill  rate 
per  instant  of  time  {dt).  For  the  Aimed-fire  model,  we  assume  that  these  shots  are  aimed  at 
individual  adversarial  live  targets.  For  the  Area-fire  model,  we  assume  that  an  area  of 
interest  is  under  fire  (e.g.,  artillery,  mortar,  air  support),  without  considering  specific 
target  attributes.  Although  these  two  models  seem  similar,  their  units  of  measures  are 
different,  and  we  cannot  compare  the  results  from  these  two  models  directly. 

We  summarize  these  two  models  as  follows. 

a.  Aimed  Fire 

For  Aimed-fire,  the  basic  equations  area:: 


dB(f) 

dt 


-p  Zit), 


(2.1) 


dZ{f) 

dt 


-pBf). 


(2.2) 


Here,  B(t)  is  the  number  of  overall  alive  Blue  units  at  time  t,  and  Z(t)  is  the 
corresponding  number  of  overall  alive  Red  units.  The  term  means  the  change  in  the 

Blue  force  in  dt,  and  p  represents  the  constant  attack  rate  of  Red.  So,  in  an  aimed-fire 
model,  the  number  of  killed  in  Blue  force  depends  on  number  of  shooters  on  Red  force, 

and  their  shooting  effectiveness  against  individual  Blue  targets.  Similarly,  represents 

the  change  in  Red  force  in  dt,  and  p  is  the  constant  attack  rate  of  Blue.  Note  that  the 
recipient  of  aimed  fire  is  explicitly  an  active  (fighting)  member  of  the  opposing  force. 
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Attack  rates  in  these  models  represent  both  offensive  and  defensive  measures.  That 
is,  there  is  no  explieit  means  to  ehange  the  kinetie  defense.  Defensive  measures  may  be 
eonsidered  when  estimating  attaek  rate.  The  attaek  rates  in  these  models  are  all  eonstants. 
They  do  not  depend  on  time  or  size  of  the  foree. 


The  exchange  ratio  is  the  ratio  of  ehange  in  foree  level  of  B(t)  with  respeet 

to  Z(t)  in  dt',  it  depends  on  foree  levels,  and  attaek  rate  ratios  in  Aimed-fire  models. 


b.  Area  Fire 


Tor  Area-fire,  the  basie  equations  are: 


dB{f) 

dt 


-pZ{t)  B{f), 


(2.3) 


dZ{f) 

dt 


-pB{t)  Z{t). 


(2.4) 


Here,  the  number  of  Blue  units  killed  in  the  Area- fire  model  depends  on  number  of 
Red  shooters,  number  of  targets  on  the  area  (density),  and  Red’s  shooting  effeetiveness. 

The  exehange  ratio  does  not  depend  on  foree  levels,  and  solely  depends  on  attaek 

rates  in  the  Area-fire  model. 

Aimed-fire  and  Area-fire  models  are  the  most  eommonly  used  combat  models. 
They  are  crude,  but  roughly  explanatory.  Using  experimental  data  and  proper  tools, 
combat  factors  can  be  understood  and  even  ean  be  predieted.  Figure  2  eompares  a 
Lanehester  aimed-fire  model  with  reinforcements  to  real  data  from  the  well-known  study 
of  the  1945  Battle  of  Iwo-Jima  (Engel,  1954). 
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Figure  2.  Comparison  of  the  Lanehester  model  outeome  and  real  results  for  the  1945 

Battle  of  Iwo-Jima  (from  Engel,  1954). 

2.  Epidemic  Models 

The  eommonly  used  mathematieal  models  in  epidemiology  are  S-I  and  S-I-R 
models.  An  overall  population  is  partitioned  into  three  groups,  deseribed  as  suseeptible 
(S),  infected  (I),  and  recovered  (R)  (Murray,  2002).  Although  there  are  more  detailed  and 
expanded  infection  models,  we  use  the  S-I-R  model  as  a  base  model,  as  was  used  in 
Schramm  and  Gaver  (2013),  and  use  it  to  construct  later  models. 

Epidemic  models  are  classified  by  the  spread  type.  We  use  Kermack-McKendrick 
type  spread  in  this  study,  which  is  consistent  with  general  S-I-R  models,  but  we  will  not 
consider  natural  births,  deaths,  migration,  or  partial  immunization  as  studied  in  the  paper 
(Kermack  and  McKendrick,  1927).  Although  there  are  different  types  of  infection  spread 
models  (i.e.,  Eanchester  infection,  Daley-Kendall  infection,  Michaelis  -  Menten  infection 
etc.),  for  different  environments  and  assumptions,  we  will  use  a  simple,  generalized,  and 
well-studied  model  for  infection  spread. 

Eor  a  fixed  population  of  size  N,  N  =  S(t)  +  I(t)  +  R(t),  where  S(t)  (respectively 
I(t)  and  R(t))  is  the  number  of  population  members  that  are  susceptible  (respectively 
infected  and  recovered)  at  time  t.  The  original  Kermack  and  McKendrick  (1927)  epidemic 
model  is: 
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(2.5) 


dS(t) 

dt 


=  -^>  S(t)  I(t), 


dl(t) 

dt 


=  ^  s(t)  i(t)  -  r  i(t) , 


(2.6) 


di?(t) 

dt 


=  Y  /(t). 


(2.7) 


The  term  represents  the  ehange  in  the  subpopulation  susceptible  to  the 
disease,  which  depends  on  the  contacts  between  members  that  are  infected  and 
susceptible,  and  spread  rate  (^).  The  term  represents  the  change  in  the  subpopulation 
recovered  from  the  disease,  in  this  case  equal  to  the  cure  rate  (y)  times  the  number 
infected.  The  term  represents  the  change  in  number  of  the  population  that  is  infected, 
by  using  other  two  equations  because  the  population  total  (N)  is  constant. 

We  use  these  models  to  explore  different  aspects  of  cyber  warfare  on  kinetic 
battles.  Appendix  C  discusses  the  methodology  we  use  to  understand  and  explain  these 
models. 
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III.  DISCRETE  CYBER  EFFECTS 


In  this  chapter,  we  consider  the  diserete  effeets  of  cyber  operations  on  eornbat.  We 
build  on  the  work  of  Sehramm  (2012),  who  considers  a  kinetie  battle  between  two 
opponents,  one  of  whom  suffers  a  discontinuous  “shock”  that  instantly  degrades  its 
fighting  eapability.  An  important  aspeet  regarding  this  model  is  that  only  the  kinetie  battle 
results  in  attrition.  The  eyber  effeet  does  not  eause  any  attrition,  but  ehanges  its  paee.  The 
motivating  idea  is  to  consider  a  fighting  force  whose  effectiveness  derives  from  its  ability 
to  coordinate  its  operations  using  a  eommunications  and/or  computer  network.  The 
degradation  to  fighting  eapability  comes  from  the  loss  of  the  network,  which  is  presumed 
to  happen  suddenly  (e.g.,  from  a  cyber  attaek  by  the  opponent).  Schramm  explores  the 
impaet  of  the  timing  and  size  of  this  shook  on  the  kinetie  battle. 

We  extend  this  work  by  adding  a  seoond  shock  that  cures  the  impaots  of  the  first 
shock  (e.g.,  oorresponding  to  a  restoration  of  the  underlying  network).  This  second  shock 
helps  to  limit  the  effects  of  the  cyber  attaek,  and  helps  to  quantify  its  impact  on  overall 
attrition.  We  restrict  attention  to  Lanchester  aimed  fire  calculations  in  this  chapter. 

We  begin  with  a  summary  of  Schramm  (2012).  Consider  a  battle  involving  aimed 
fire.  Consider  the  ease  where  Blue  suffers  a  shock  at  time  t*  that  deereases  Blue’s  attaek 
rate  from  Pu  to  where  Pd  <  Py.  The  modified  Lanehester  equations  then  become  the 
following. 


dZ{t) 

dt 

-PuBit), 

t  <  t* 

(3.1) 

dZ(t) 

dt 

-PoBCt), 

VI 

* 

(3.2) 

dB(t) 

dt 

=  -puZ^t), 

V  t 

(3.3) 
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A, 


EXPLORATION  OF  LANCHESTER  MODELS  WITH  DISCONTINUITIES 


In  their  most  general  form,  let  f5{t)  denote  the  instantaneous  attaek  rate  of  Blue 
(on  Red)  at  time  t,  and  similarly  let  p{t)  denote  the  attaek  rate  of  Red  (on  Blue).  The 


general  form  of  the  Lanchester  equations  is  as  follows: 

dZCt) 

=  -msm. 

(3.4) 

dB(t) 

=  -p(t)  Z(t). 

(3.5) 

dZ(t)  (d(t)  B(t) 

(3.6) 

dB(t)  p(t)  Z(t)’ 

Pit) 

Zit)  dZit)  ^  '  Bit)  dB(t), 

pit) 

(3.7) 

t  t 

j  pit)  Z(t)  dZ(t)  =  j  p(t)  B(t)  dB(t). 

(3.8) 

0  0 

The  ease  where  Blue  suffers  a  single  shoek  degrading  its  eombat  eapability 
eorresponds  to  the  following  attack  rates: 


pit)  = 

P- 

Pu  1 

0  <  t  <  tf 

0  <  t  <  t* 

Pit)  = 

Pd  I 

t,<t<tf 

Let  denote  the  time  at  which  the  battle  ends.  We  define  the  following 
mathematical  terms: 

B(t  =  0)  =  Bq  ,  Z(t  =  0)  =  Zq  Initial  number  of  force  units, 

B(t  =  t*)  =  B*  ,  Z(t  =  t*)  =  Z*  Number  of  force  units  at  the  time  of  shock, 

B(t  =  tf)  =  Bf  ,  Z(t  =  tf)  =  Zf  Number  of  force  units  at  the  end  of  the  battle. 
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Throughout  this  analysis  we  assume  that  Bq>  B^>  Bf  and  Zg  >  Z*  >  Zf.  To 
evaluate  for  5*  and  Z* ,  we  use  the  numbers  just  before  the  time  of  shock,  to  be  consistent. 

We  can  rewrite  the  equation  for  given  model  Eq.  (3.8): 


u 

I 


ZdZ 


Pu  j  BdB  +  Pd  j 

t*  tf 


B  dB 


(3.9) 


This  implies  that: 

p  {Zl  -  Zj)  =  Pu  (B^  -  Bi)  +  Pd  {b}  -  Bj)  .  (3.10) 


The  end  of  the  battle  can  be  set  when  the  force  size  of  one  side  (Red)  is  70%  of 
initial  number  of  units,  or  the  force  size  of  the  other  side  (Blue)  is  50%  of  initial  number 
of  units.  For  simplicity,  we  use  fight  to  the  finish  in  this  study.  In  case  of  a  fight  to  the 
finish,  at  the  end  of  the  battle  one  of  the  force  sizes  would  reach  zero. 


The  new  dynamic  state  equation  (with  shock)  is: 

Pu  {Bi  -  B})  -  p  {Zi  -  Z}) 


B}  -  Bj  = 


(3.11) 


Pu  Pd 

We  can  summarize  the  dynamic  state  equations  both  without  and  with  cyber  effect: 


Pd  (Bq  ~  ~  P  (^0  ~  ^f)  ~  ^  Without  cyber  effect 

Pu  {pi -Bj)-p  (zl  -Zj)^  (b)  -  Bf)  (Pd  -  Pd)  ^  cyber  effect 

The  difference  in  the  dynamic  state  equation  caused  by  the  cyber  attack  of  Red  on 

Blue  is: 

{Bl-Bf)(PD  -  Pd).  (3.12) 

Note  that  regardless  of  the  victorious  side,  one  of  Bf  or  Zf  will  be  zero  and  the 
other  one  will  be  positive,  which  represents  the  survivors  from  the  battle  when  the  battle  is 
over  and  there  is  no  more  cyber  attack.  We  refer  to  this  case  as  “no  recovery,”  because  in 
this  case  Blue  was  attacked  but  did  not  recover,  and  continued  to  fight  with  degraded 
attack  rate  Pd  ■ 
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We  display  the  results  of  a  numerieal  experiment  in  Figure  3  and  Figure  4.  Both 
sides  start  with  same  initial  numbers,  but  with  different  attack  rates.  We  increased  the 
detail  level  in  the  graphs  by  using  10  steps  in  1  time  {f),  and  to  reproduce  these  figures, 
time  should  he  divided  hy  10, 


73 


TIME 


Figure  3.  One-sided  shock  effect  on  number  of  survivors. 

Given  initial  force  sizes  Bq  =  Zq  =  1000,  the  battle  begins  with  Pu  =  0.5,  p  =  0.3 
However,  at  time  ,  Blue  suffers  a  shock  that  reduces  its  attack  rate  to  —  0.05 
Despite  the  initial  fighting  superiority  of  Blue,  Red  wins  the  battle. 


Figure  4.  Shock  effect  on  Blue’s  kinetic  attack  rates. 
(Time  is  multiplied  by  10  on  both  figures) 
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Figure  3  shows  the  change  in  number  of  units  for  both  sides  throughout  the 
combat.  At  we  see  a  change  in  Blue’s  attack  rate,  which  (we  assume)  is  caused  by  a 
cyber  attack  launched  by  Red  (Figure  5). The  cyber  attack  affects  the  attrition  of  both 
sides.  Explicitly,  it  enables  Red  to  win  despite  an  initial  fighting  inferiority. 

B,  DISCONTINUOUS  DEGRADATION  AND  RECOVERY 

We  next  consider  the  case  where  Blue  suffers  but  then  recovers  from  a  cyber 
attack.  We  do  this  through  the  use  of  two  shocks,  in  which  the  first  one  downgrades  the 
attack  rate  of  the  Blue  to  and  the  second  one  upgrades  the  attack  rate  back  to  normal 
Pu.  Let  kj  denote  the  time  of  the  first  (degrading)  shock,  and  let  denote  the  time  of  the 
second  (recovery)  shock.  The  corresponding  attack  rates  for  each  side  are; 
p(t)  =  p,  0  <  t  <tf 

Pu ,  0  <  t  < 

Pit)  =  ^  Pd,  t,^<t<  t*2 

Pu,  t^2  —  t  <  tf 

Dropping  the  explicit  time  dependence  for  B  and  Z,  we  write  the  battle  equations 
as: 


dZ 

0  <  t  <  t*i 

(3.13) 

dZ 

t*i  <  t  <  t,2 

(3.14) 

dZ 

t*2  <  t  <  tf 

(3.15) 

dB 

—  =  -Pt/Z,  Vt  . 


(3.16) 
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Now  we  use  the  same  numerical  experiment  as  Figure  3  and  Figure  4,  but  we 


implement  the  second  shock  to  the  system.  Now  Blue  is  degraded  by  a  cyber  attack  at 


and  Blue  recovers  from  the  cyber  attack  at  t*2.  Both  sides  start  with  same  initial  numbers, 


but  with  different  attack  rates.  Figure  5  and  Figure  6  can  be  compared  to  Figure  3  and 


Figure  4  to  visually  see  the  effects  of  recovery  at  t*2. 


Figures.  Effect  of  two  shocks  on  number  of  survivors. 

Here,  Blue  suffers  a  degradation  at  time  but  recovers  at  t*2  and  is  still  able  to 
win  the  battle  (Time  is  multiplied  by  10.). 


VI 

M 

f- 

< 

a; 

o 

< 

f- 

E— 

< 

O 


Figure  6. 


TIME 

Two  shock  effects  on  kinetic  attack  rates. 
(Time  is  multiplied  by  10.) 
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Figure  5  shows  the  change  in  number  of  units  throughout  the  combat,  in  case  of 
two  shocks.  Figure  6  shows  the  change  in  kinetic  attack  rates  of  forces.  At  we  see  a 
drop  in  Blue’s  attack  rate,  and  at  t*2  it  recovers.  These  figures  show  how  the  recovery 
from  a  cyber  attack  affects  the  attrition  of  both  sides.  Explicitly,  it  changes  the  pattern  of 
Red,  and  the  change  in  Red  causes  a  change  in  Blue.  Now  Blue  wins  the  battle,  again. 

Using  the  same  notation,  and  keeping  the  same  set  of  assumptions  as  Bq  >  > 

B*2  >  and  Zq  >  Z*i  >  Z*2  >  Zf,  which  means  that  the  cyber  attack  happens  (t*i) 
before  recovery  (U2).  Note  that  tf  cannot  be  smaller  than  t*2,  and  t*2  cannot  be  smaller 
than  for  a  logical  sequence.  They  can  be  equal,  but  then  there  would  be  no  change  in 
state  equation.  We  can  rewrite  the  equation  (3.9)  for  given  model: 


0 

p  j  Z  dZ  — 


t.i 

BdB  +  Pd  j 

t+2 


B  dB  + 


B  dB  . 


(3.17) 


The  closed  form  of  the  equations  is,  in  this  special  case: 


p  {Zi  -  Zf)  =  Pu  (Bi  -  Bl^)  +  Pd  -  Bl^)  +  Pu  {bI^  -  Bf).  (3.18) 


The  expression  5*^  uses  the  number  of  Blues  at  the  time  of  the  successful  cyber 
attack,  and  the  expression  S*2  uses  the  number  of  Blues  at  time  of  full  recovery  from 
cyber-affected  targets.  The  term  (Py  —  Pd)  represents  the  reduction  in  kinetic  attack  rate 
due  to  a  successful  cyber  attack. 


The  dynamic  state  equation  in  this  case  is: 

Pu  (bS  -  Bj)  -  Pu  {Zl 


d2  _  p2 

D^2 


zf) 


Pu  Pd 


(3.19) 


We  can  summarize  the  dynamic  state  equations  as: 

Pu  {Bq  —  Bj^  —  p  (Zq  —  Z^)  =  0  Without  cyber  ejfect 

Pu  (5o  -  Bf)-  p  (Z^  -  zf)  =  -  5*2)  (Pu  -  Pd)  With  cyber  effect. 
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In  this  case  change  in  the  dynamic  state  equation  by  the  cyber  attack  of  Red  to 


Blue  is: 


(Pu  -  Pd).  (3.20) 

whieh  is  the  same  result  with  one  shoek.  The  reason  for  the  square  is  beeause  we  use  an 
underlying  square  law  (aimed  fire)  in  the  model.  This  would  be  a  straight  multiplication  if 
we  used  a  linear  law  (area  fire). 

We  ean  also  adapt  (3.19)  for  the  cases  with  strictly  one  shoek  (no  cure),  if  we  use 
the  second  shock  time  as  the  end  of  the  battle  (t*2  <  tf).  We  should  point  out  that  the  end 
of  battle  can  be  predefined  as  a  level  (i.e.,  percentage,  number)  for  any  of  two  sides; 
however  we  use  a  fight  to  the  finish  assumption  to  obtain  a  clear  picture  of  the  model 
results. 

(3.12)  is  another  important  equation  whieh  provides  us  an  intuitive  result 
concerning  how  a  cyber  attack  on  one  side  (B  here)  ean  change  the  opponent’s 
effectiveness,  and  ean  change  the  overall  battle  result.  The  eyber  attaek  to  Blue  causes  a 
difference  in  dynamic  state  equation  as  much  as  (B*i  —8^2)  (Pu  ~  Pd)^  which  shows 
itself  as  the  reduction  in  attrition  of  Red.  So  if  a  eyber  attaek  starts  at  and  ends  (or 
cures)  by  t*2 ,  and  the  effectiveness  drops  down  to  p^  in  between  these  times;  assuming 
that  by  a  cyber  attack  the  whole  Blue  foree  is  affected,  the  damage  caused  by  this  attaek 
can  be  summarized  as: 

-  Pd)-  (3.21) 

Eqs.  (3.19)  and  (3.21)  show  that  the  period  of  time  between  cyber  attack  time 
and  recovery  time  is  crucial.  Also,  if  we  have  a  central  or  a  bottleneek  eyber  target  (i.e., 
a  main  network  server,  a  communieation  server),  the  size  of  affected  Blue  force  is 
crucial.  Both  of  these  terms  will  greatly  boost  the  effectiveness  of  Red’s  eyber  attack  on 
Blue,  but  the  reduction  in  the  kinetic  attack  rate  of  Blue  eaused  by  Red’s  eyber  attack  will 
boost  the  effectiveness  of  the  eyber  attack  proportionally. 

Similar  to  previous  numerical  experiments,  we  use  the  same  numerical  experiment 
with  Figure  5  and  Figure  6  but  we  change  the  time  of  second  shock.  Now  Blue  is  degraded 
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by  a  cyber  attack  at  and  Blue  reeovers  from  the  cyber  attack  at  t*2,  but  the  duration  in 
between  these  two  shocks  are  increased  by  30%.  Both  sides  start  with  same  initial 
numbers,  with  different  attack  rates.  Figure  7  and  Figure  8  can  be  compared  to  Figure  5 
and  Figure  6  to  visually  see  the  impacts  of  timing  of  recovery  (t*2^  and  the  duration 
(t*2-t*i)  of  cyber  attack  effects. 


02 


Figure  7.  Effeet  of  a  longer  cyber  attaek  duration  on  number  of  survivors. 
In  this  case,  Blue  is  degraded  long  enough  for  Red  to  get  the  advantage  and  win. 
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Figure  8.  Effect  of  two  shocks  on  kinetic  attack  rates  for  a  longer  cyber  effect  time. 
(Time  is  multiplied  by  10  on  both  figures) 


25 


The  increase  in  time  between  the  two  shocks  affects  the  battle  significantly  and 

helps  the  eyber  attaeker  (Red)  to  win  the  battle.  Figure  7  displays  the  ehange  in  number  of 
units,  in  ease  of  two  shoeks  for  a  larger  timeframe  eompared  to  Figure  5.  Figure  8  displays 
the  change  in  kinetic  attack  rates  of  the  forces.  At  again,  we  see  a  drop  in  Blue’s  attack 
rate,  and  at  t*2  it  recovers.  Comparing  these  figures  we  see  that  when  it  takes  a  longer  time 
(30%)  for  Blue  to  recover.  Red  wins  the  battle. 

C.  ADDITIONAL  EXTENSIONS 

1.  Special  Case:  Recovery  Decisions  by  Blue 

Now  consider  the  case  in  which  Blue  can  make  a  decision  to  fight  against  the 
cyber  attack  or  not.  Since  any  defensive  actions  will  need  some  resources,  we  can  compare 
how  many  resources  Blue  should  allocate  for  recovering  after  a  successful  cyber  attack. 
When  should  Blue  continue  with  the  kinetic  attack  (ignore  the  cyber  incident),  and  when 
should  Blue  try  to  recover? 

We  showed  that  without  recovering  the  cyber-affected  units,  the  reduction  in  the 
state  equation  will  be  until  the  end  of  the  battle  so  the  difference  in  the  state  equation  is 
(Pij  —  Pd)-  Also  recovering  the  cyber  affected  Blue  units,  the  difference  in 
the  state  equation  can  be  estimated  as  (S*i  —  5*2)  iPu  ~  Pd)-  That  means  recovery 
causes  a  change  in  state  equation  as  (B*2  “  (Pu  ~  Pd)-  Now  the  question  is  “is  this 
difference  worth  allocating  resources  to  recover?” 

We  can  rephrase  this  expression  as,  the  power  of  attack  gained  back  (attrition  of 
Red)  by  Blue  recovering  from  a  cyber  attack  is: 

-  Pd)-  (3.22) 

2.  Special  Case:  Reinforcements  for  Blue 

Suppose  Blue  can  obtain  one  of  two  types  of  assistance  at  time  t*2.  One  is  cyber 
assistance  which  will  increase  Blue  attack  rate  back  to  Py  from  Pd-  The  other  type  of 
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assistance  will  add  B^.  units  to  the  kinetie  battle  and  Blue’s  attaek  rate  will  remain  at  the 
lower  rate  Considering  that  Blue  reeeives  a  reinforeement  unit  in  number  at  time 
C2 ,  the  seeond  shoek  at  t*2  can  be  used  for  either  recovery,  or  not. 

Obviously,  if  the  gain  from  kinetie  battle  is  greater  than  the  gain  from  recovery, 
then  the  assistance  should  be  used  in  kinetic  combat. 


We  need  to  eompare  two  oases  for  t*2,  the  ease  where  there  is  no  recovery  and  use 
the  reinforoements.  By,  with  degraded  rate,  and  the  ease  where  the  assistance  is  used  to 
reoover  from  the  oyber  attaek.  So  if,  ByP^,  >  (B*2  “  {Pu  ~  Pd)  then  Blue  should 
use  these  assistance  (By)  for  kinetie  combat;  otherwise,  use  the  oyber  assistanoe.  Rewriting 
the  equation: 


B‘ 


B1 


>1- 


(3.23) 


Or  in  other  words,  assuming  this  is  a  fight  to  the  finish  battle  (e.g.,  Bf  =  0),  use  in 
the  assistanoe  to  reoover  from  oyber  attaek  if. 


Pu  Pd  f  \ 
Pd  v5*2/ 


(3.24) 


So,  this  oomparison  gives  some  insight  about  what  is  most  important.  If  a  unit  is 
under  oyber  attaek  with  a  shook  suoh  as  a  oomputer  virus  attaek,  a  triggered  zero  day 
attack,  a  DoS  (  denial  of  service)  attaek,  a  highly  oentralized  target  (network  bottleneok) 
attack,  etc.,  we  oan  use  this  oomparison.  It  means  using  the  kinetic  combat  assistance  if 
the  degraded  attaek  rate  does  not  make  muoh  differenoe  or  if  the  additional  kinetie  foroe  is 
signifioantly  larger  oompared  to  Blue  foroes  in  the  theater  at  (estimated)  time  of  reoovery. 

Numerioally,  if  the  arriving  foroe  (By)  is  roughly  10%  of  the  size  of  the  reoovery 
time  foroe  (S*2),  it  makes  sense  to  use  it  in  kinetie  battle  if  the  deorease  in  attaek  rate 


27 


because  of  cyber  attack  Py  —  Py  is  less  than  1%  of  Py  (i.e.,  cyber  attack  is  very 
ineffective).  However,  Blue  should  use  the  cyber  assistance  to  recover  the  affected  unit(s) 
if  the  decrease  ratio  to  downgrade  attack  ratio  is  more  than  1%. 

Now  we  have  a  value  for  the  cyber  attack  effect  to  compare  and  evaluate  with 
kinetic  battle  —  Py^,  and  another  value  for  recovering  from  a  cyber  attack 

(B*2  “  ~  Pd)-  With  the  fact  that  5*^  >  5*2  ,  we  have  a  solid  background  to 

compare  these  effects.  Under  given  assumptions,  we  can  generalize  that: 

If  Blue  is  able  to  prevent  a  successful  cyber  attack  at  t*i,  the  gain  (prevented  loss) 

will  be: 

{Bl^-Bf){Py  -Py),  (3.25) 

If  Blue  is  able  to  recover  from  a  successful  cyber  attack,  at  t*2  the  gain  (prevented 
loss)  will  be: 

{Bl^-Bf){Py  -  Py).  (3.26) 

These  calculations  assume  that  >  5*2  >  Bf  for  all  times  t 
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IV.  CONTINUOUS  CYBER  EFFECTS 


In  this  chapter,  we  model  continuous  or  gradual  effects  of  cyber  operations  on 
combats.  We  build  on  the  work  of  Schramm  and  Gaver  (2013),  which  represents 
continuous  effect  by  a  cyber  epidemic  model  that  eauses  degradation  in  kinetic 
capabilities  of  the  cyber  infeeted  side.  We  expand  this  model  by  adding  eyber  eapabilities 
to  the  infected  side,  whieh  adds  the  eapability  to  infeet  and  degrade  the  kinetie  capabilities 
of  the  adversary  side,  also.  We  explore  the  interactions  of  these  two  eyber  epidemics  on 
kinetic  battle  results,  both  numerieally  and  analytieally. 

The  spread  of  a  eyber  infection  is  a  critical  aspect  of  cyber  operation  in  this  model. 
We  assume  that  a  cyber  effect  starts  with  an  infected  unit.  We  control  the  effeetiveness  of 
a  eyber  attaek  by  changing  infection  spread  (spread  rate,  spread)  .The  infeetion  decreases 
the  effectiveness  of  a  kinetie  attaek  by  degrading  the  attack  rate.  We  use  patch  (patch 
rate)  to  deseribe  the  cure  of  infection. 

In  order  to  model  infeetion  and  spread  of  disease  within  the  fighting  population, 
we  assign  eaeh  fighting  unit  to  one  of  three  states.  A  unit  is  in  State  S  if  it  is  not  affected 
by  eyber  infeetion,  but  is  vulnerable  and  can  be  infected  at  any  time.  A  unit  is  in  State  I 
(infected)  if  it  is  affected  by  eyber  infeetion,  and  such  units  have  a  deereased  kinetic  attack 
rate  within  the  adversary.  A  unit  is  in  State  R  if  it  is  immune  to  the  partieular  infection, 
either  by  removing  the  infection  or  by  using  a  patch  (immunization)  for  the  infection. 
With  time,  the  number  of  units  in  state  S  decreases  because  susceptible  units  will  be  either 
infected  and  transformed  to  state  /,  or  cured  and  transformed  to  state  R.  Cure  before 
infection  is  by  patching  the  susceptible,  whieh  is  cyber-vaccination  for  the  infeetion.  The 
number  of  units  in  state  R  inereases,  because  a  recovered  unit  in  state  R  will  cure  its 
contacts  whether  they  are  in  state  S  or  state  I.  The  number  of  units  in  a  state  /  can  either 
inerease  or  decrease  over  time,  depending  on  factors,  which  we  shall  explore.  Modeling 
infeetion  adds  a  second  layer  to  eombat  modeling,  so  at  any  time  these  states  will  decrease 
on  top  of  mentioned  changes  at  a  constant  rate  caused  by  kinetic  attacks. 
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A, 


THE  MIXED  EPIDEMIC  COMBAT  MODEL 


We  begin  with  the  mixed  epidemie  combat  model  of  Schramm  and  Gaver  (2013). 
Capital  letters  represent  state  variables  which  change  in  time.  For  ease  of  understanding, 
we  drop  the  time-dependence  in  our  notation.  So,  for  instance,  S  represents  S(t).  The 
original  model  consists  of  four  differential  equations: 


—  =-fo(S  +  R)-fo(/), 
dS  S 

dR  R 

-=(R5R+,R;)-pZj-py^. 


(4.1) 

(4.2) 

(4.3) 

(4.4) 


/  represents  number  of  infected  units  in  Blue  force  at  time  t,  S  represents  number 
of  susceptible  units  in  Blue  force  at  time  t,  and  R  represents  number  of  recovered 
(patched)  in  Blue  force  at  time  t.  The  total  size  of  the  fighting  Blue  force  is  the  sum  of 
these  variables,  i.e.,  B=S+I+R,  which  decreases  in  time.  Also,  Z  represents  total  number 
of  fighting  Red  units,  which  decreases.  These  variables  change  continuously  in  time.  Also, 
Greek  letters  represent  rates,  which  are  constant  coefficients:  Pu  represents  attack  rate  for 
each  Blue  unit  that  is  either  susceptible  or  recovered.  Pd  represents  decreased  attack  rate 
of  each  Blue  unit  that  is  infected,  and  p  represents  normal  attack  rate  of  each  member  of 
the  Red  force.  There  are  of  attack  rates  for  Blue,  because  the  attack  rate  is  assumed  to 
change  after  a  cyber  incident.  Also,  ^  represents  spread  rate  of  the  infection  in  Blue,  and  rj 
represents  cure  rate  of  the  infection  of  Blue,  which  occurs  when  a  recovered  Blue 
encounters  an  infected  Blue.  Also,  susceptible  members  of  Blue  recover  when 
encountering  recovered  Blues  at  rate  rj. 
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The  value  of  Z  ehanges  aecording  to  different  rates  of  attrition  (  Py,  p^),  and  uses 
Lanehester  aimed- fire  model  (2.1,  2.2).  The  value  of  B  ehanges  depending  on  kinetie 
effeets  and  on  epidemie  effeets  aeeording  to  the  S-I-R  epidemie  model  (2.5-  2.7).  In  this 
original  model,  Red  is  subjeet  to  aimed  fire  from  all  Blue  units,  and  Blue  is  subjeet  to 
aimed  fire  and  eyber  attack  by  Red.  Only  the  Red  force  has  cyber  attack  capability,  and 
the  asymmetry  in  capability  of  forces  simplifies  the  analysis. 

B,  EXPANDED  CYBER  EPIDEMIC  COMBAT  MODEL  DEVELOPMENT 

Building  upon  this  initial  cyber  epidemic  combat  model,  we  want  to  explore  the 
interactions  and  implications  for  the  clash  of  two  cyber-capable  sides,  such  that  each  side 
can  degrade  kinetic  capabilities  of  the  adversary  using  a  cyber  infection.  We  propose  to 
use  two-sided  kinetic  and  cyber  epidemic  combat  models;  in  order  to  understand  the 
impacts  on  the  battle  of  two  fighting  forces  with  both  having  asymmetric  capabilities. 

1.  Two-sided  Cyber  Epidemic  Combat  Model 

We  start  with  generalizing  the  Schramm  and  Gaver  (2013)  model  such  that  both 
sides  have  kinetic  and  cyber  capability.  This  is  the  base  model  for  us,  which  assumes 
aimed  fire.  The  subscript  B  represents  variables  and  parameters  related  to  Blue  force.  The 
subscript  Z  represents  variables  and  parameters  related  to  the  Red  force. 


For  simplicity,  suppress  the  explicit  time-dependence  notation,  e.g.,  =  S^it) 


B 

Z 

Vb 

Vz 

Pu>  Pd 
Pui  Pd 


:  level  of  Blue  force  at  time  t 
:  level  of  Red  force  at  time  t 
:  Infection  spread  rate  within  B 
:  Infection  patch  rate  within  B 
:  Infection  spread  rate  within  Z 
:  Infection  patch  rate  within  Z 

:  Normal  attack  rate,  and  decreased  (by  infection)  attack  rate  ofZ  on  B 
:  Normal  attack  rate,  and  decreased  (by  infection)  attack  rate  ofB  on  Z 


The  model  equations  are  as  follows: 
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(4.5) 


(  ^b5b^b  Vb5bRb)  [Pui5z  +  Rz)  +  Pd  (^z)] 


5b _ 

5b  5  Ib  +  Rb 


cUb 

dt 


Vb^bRb)  [Pui5z  +  Rz)  +  Pd  Oz)] 


h _ 

•^B  +  ^B  +  Rb 


(4.6) 


dR  R 

——  =  {+r]BRB5B  +  PbRb^b)  ~  \.Pu(5z  +  Rz)  +  Pd  (^z)]  t:  „  (4-7) 

dt  Sb+Ib+Rb 

dS  S 

=  i~^z5zh  ~  Vz5zRz)  ~  [Pu(.5b  +  Rb)  +  Pd  (^b)]  c  ,  i  ,  n  (^-5) 

dly  ly 

—  i5^zh5z  ~  Vzh  Rz)  ~  [Pu(.5b  +  Rb)  +  Pd  (^b)]  r  ,  j  ,  n  ('^■^) 

dt  ”h  1^  ”h  R^ 

dR  R 

——  =  {+rjzRz5z  +  PzRzh)  ~  [Pu^Rb  +  Rb)  +  Pd  Ob)]  ^  „  (4.10) 

dt  “h  “h  R^ 


< 

Y 

Cyber  Effects 

Kinetic  Effects 

Eraction  of  Kinetic  Effect 

Unaimed 

Aimed  Eire 

Degradation 

Attrition 

The  first  part  of  each  equation  represents  the  cyber  effects  on  the  total  change  of 
the  number  of  units  in  a  state,  using  an  S-I-R  epidemic  spread  .  The  second  part  of  the 
equation,  represents  the  kinetic  effects  on  the  depletion,  using  aimed-fire.  This  focuses 
proportionately  on  opposing  units  on  each  cyber-affected  state. 

We  use  the  Lanchester  aimed-fire  model  on  kinetic  battles  unless  stated  otherwise. 
A  modified  SIR  disease-spread  model,  as  Schramm  and  Gaver  (2013)  describes  the  cyber 
effect.  We  make  several  assumptions.  First,  kinetic  effects  are  assumed  to  be  homogenous 
for  each  opposing  force;  each  live  unit  has  its  own  chance  (probability)  to  survive  in 
aimed-fire.  Second,  we  assume  there  is  only  one  vulnerability  in  each  unit  to  exploit  and 
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to  patch  (i.e.,  there  is  only  a  single  type  of  infection).  Third,  we  assume  that  infeeted  units 
can  be  cured  without  any  permanent  damage,  and  return  to  original  strength.  Finally,  we 
assume  that  both  the  kinetie  battle  and  cyber  operations  (as  represented  by  the  infection) 
start  at  time  t  =  0. 

The  measure  of  effeetiveness  (MOE)  is  the  number  of  killed  target  units  for  eaeh 
opponent,  unless  stated  otherwise 

A  visual  summary  of  interactions  and  parameters  in  this  model  appears  in  Figure  9. 
In  this  figure  alive  Blue  units  can  be  in  one  of  three  states:  Sg,Ig,  Rg.  Attrition  from  Blue 
goes  to  the  (killed)  state  K^.  So  S^,  1^,  Rq,  Kq  and  B  are  all  dynamic  in  nature,  but  they  all 
sum  up  to  a  constant,  Bq,  the  initial  force  size  of  Blue  foree.  Specifically  we  have  B  — 
Sb  +  Ib  +  Rb  ^nd  So  —  B  +  Kb-  Analogous  meehanics  govern  Red  force  dynamies, 
represented  in  terms  of  Z.  Note  that  this  figure  shows  only  positive  values.  Signs  can  he 
determined  hy  the  direction  of  the  flow. 


Figure  9.  A  two-sided  Cyber  Epidemic  Combat  model  (General). 

Members  of  the  Blue  force  (S)  are  in  one  of  four  states:  susceptible  (Sb),  infeeted  (Ib), 
recovered  (Rb),  or  killed  (Kb).  Members  of  the  Red  force  (Z)  are  represented  similarly. 
Changes  in  states  are  represented  by  directed  arrows,  and  the  flow  in  dt  is  represented  near 

arrows. 
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In  the  two-sided  Cyber  Epidemic  Combat  model,  although  attrition  rates  associated 
with  infected  or  non-infected  units  are  constant  (py,  py,  (iy  Py),  the  overall  attrition  rate  is 
a  weighted  average  of  these  constants,  and  the  weights  change  with  time.  Table  1,  displays 
the  attrition  rates. 


Overall  change  in  force 
(Attrition) 

Without  cyber  effects 

With  cyber  effects 

dB 

~Pu  ^ 

~Pu  iPz  +  Rz)  —  Pd  Oz) 

dt 

dZ 

-PuB 

~  Pu  Ob  +  Rb)  ~  Pd  Ob) 

dt 

Table  1 .  The  attrition  rates  with  and  without  the  cyber  effects. 


2.  Compact  Form  of  Two-sided  Cyber  Epidemic  Combat  Model 


A  more  compact  form  to  represent  the  same  model  can  be  stated  using  the  overall 
change.  Appendix  C  discusses  about  the  use  of  this  representations  in  cyber  epidemic 
combat  model.  We  use  (4.11)  as  (4.5)+(4.6)+(4.7),  and  (4.12)  as  (4.8)+(4.9)+  (4.10). 


cLB 

dt 

dZ 

dt 

dSy 


—  Pui^z  +  ^z)  Pd  (.h)  I 


—  PuipB  +  ^b)  Pd  Ob)  I 


dB  Sd 

(-^bSbIb-VbSbRb)+-^-^. 

dlfi  dB  Id 

—  =  -  PbIbRb)  +  -^  5' 

dRy  dB  Ry 

=  {+>1bRbSb  +  iJbRb/b)  +  . 

dSy  dZ  Sz 

—  =  i-^zSzh  -  PzSzRz)  +-^Y’ 

dly  dZ  ly 

—  =iHzlzSz-rizlzRz)+-^^. 

dRz  dZ  Rz 

=  (+lJzRzRz  +  nzRzh)  +-^Y- 


(4.11) 

(4.12) 

(4.13) 

(414) 

(415) 
(4.16) 
(417) 
(4.18) 
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c. 


MIXED  EPIDEMIC  COMBAT  MODEL  EXPLORATION 


Begin  by  exploring  the  equations  that  represent  the  ehange  in  kinetic  attack  rate 
caused  by  cyber  attack.  Because  cyber  attacks  and  kinetic  attacks  have  one  common 
factor,  and  that  is  kinetic  attack  rate,  cyber  attack  does  not  affect  the  battle  with  any  effect 
except  the  effect  on  attack  rate.  Explaining  the  effects  of  cyber  offensive  and  cyber 
defensive  measures  on  kinetic  attack  rate  would  present  insights  about  the  overall  picture. 
We  continue  with  numerical  explorations  for  each  analytic  discussion. 

1,  Attack  Rates 


The  attack  rate  of  Blue  and  the  attrition  rate  of  Red  can  be  represented  as: 
dZCt) 

~  Pu  ~  Pd  > 

—  ~Pu  [5(t)  — /fiCt)]  —  Pd  /fiCt)  , 

=  -Pit)  Bit)  , 

where 

p.  _'^Pu  Bit)  —  Pd  +  Pd 

^  “  B(t)  ■ 


Or: 

I  nit) 

pip)  =  Pu  ~  iPu  ~  Pd)  ’ 


Pit)=PD-I§it)  iPu-PD)-  (4.19) 

Here,  /g  is  equal  to  the  fraction  of  units  in  B  that  are  infected  at  time  t,  and  is 
scaled  between  0  and  1 .  In  addition,  is  dynamic,  so  P  iov  p  it)  )  is  a  function  of  time, 
but  we  suppress  time-dependency  in  notation  for  ease  of  display.  We  substitute  P  =  Py  — 
Ib  iPu  -  Pd),  and  p  =  pu  -  Izipu  -  Pd)-  In  the  representation  py  -  I^iPu  “  Pd),  the 
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attack  rate  of  the  Blue  force  is  deereased  with  the  proportion  of  infected  in  Blue,  and  the 
deerease  in  kinetic  attack  rate,  based  on  the  proposed  model. 


Attrition  of  Red  can  be  modeled  without  any  eyber  infection  effect  on  attacker  as: 


dZ 

dt 


-PuB. 


Now  we  can  clearly  see  how  a  cyber  infection  in  attacker  units  ean  affect  attrition 
of  the  defender: 


—  =-l}„B  +  (fo  -  fo)  /j.  C4.20) 

In  words,  a  cyber  infection  of  the  Blue  force  (B)  degrades  the  instantaneous  attack 
rate  on  the  Red  force  (Z)  by  an  amount  that  depends  on  the  number  of  infeeted  Blue  units 
at  time  t  and  the  differenee  in  attrition  rates  between  the  infected  and  non-infeeted  units. 


2.  Cyber  Operation  Effects  on  Kinetic  Attack  Rates 


We  used  the  bar  representation  to  clarify  the  effects  on  attack  rates  as  in  the 
previous  seetion  as: 

P  —  Pu  ~  CPu  ~  Pd)  / 


P  —  Pu  ^Pu  Pd)  I 


(4.21) 

(4.22) 


We  ean  summarize  these  effeets  in  Table  2. 


Overall  change  in  force 

Without  cyber  effects 

With  cyber  effects 

(Attrition) 

dB 

~Pu  Z 

-p  z 

dt 

dZ 

-PuB 

-P  B 

dt 

Table  2.  The  change  in  models  with  and  without  the  cyber  effeets,  simplified. 


36 


A  visual  representation  of  the  states  and  the  parameters  ean  be  summarized  as  in 
Figure  10. 


Figure  10.  A  two-sided  Cyber  Epidemic  Combat  model. 


Figure  1 1  represents  the  model  without  any  cyber  effect.  So  comparison  of  Figure 
10  and  Figure  1 1  shows  how  the  cyber  effect  changes  the  model. 

Figure  12  represents  the  model  with  cyber  degraded  attack  rates.  Thus,  Figure  10 
and  Figure  12  are  essentially  the  same.  Comparing  these  two  figures  reveals  how  the 
underlying  mechanics  work  for  cyber  effects. 
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Figure  11.  A  Kinetic  model  without  any  cyber  effects. 


Figure  12.  A  Kinetic  model  with  cyber  effects. 


These  formulations  reveal  that  the  attack  rate  of  Blue  is  decreased  under  cyber 
attack,  in  proportion  to  the  ratio  of  infected  Blue  units  to  fighting  Blue  units  and  the 
difference  of  normal  and  decreased  kinetic  attack  rate.  This  reinforces  and  quantifies  the 
intuition  that  effectiveness  of  an  infection  (lower  Pd)  is  as  important  as  the  spread 
capability  of  the  infection.  Similarly,  any  step  to  reduce  the  degradation  of  an  infected  unit 
is  as  important  as  any  step  to  reduce  the  spread  of  the  infection.  On  one  hand,  we  assumed 
a  constant  decrease  on  the  attack  rate  which  causes  a  proportional  decrease  in  cyber  effect. 
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on  the  other  hand,  the  spread  of  the  infection  accelerates  with  time,  which  causes  the  cyber 
effect  to  be  more  rapid  initially.  In  this  case,  the  spread  speed  of  the  infection  has  a 
dominant  role. 


3,  Numerical  Exploration  for  Various  Parameter  Values 

We  will  now  use  our  model  to  explore  how  forces  behave  with  and  without  cyber 
infection.  In  the  figures  that  follow,  bold  lines  represent  number  of  Blue  and  Red  units 
(and  total  attritions).  Note  that,  we  increased  the  detail  level  in  the  graphs  by  using  10 
steps  in  1  time  (t),  and  to  reproduce  these  figures,  time  should  he  divided  hy  10, 

We  begin  with  the  simple  case  where  both  sides  are  symmetric  in  initial  size  and 
capability.  Figure  13  shows  the  Lanchester  dynamics  for  a  conventional  aimed-fire  battle 
without  any  cyber  effect,  along  with  a  complete  replication  of  model  parameters.  The 
dynamics  display  a  conventional  aimed-fire  pattern.  Because  the  two  sides  are  symmetric. 
Red  and  Blue  Forces  annihilate  one  another. 

We  next  consider  the  case  where  only  one  side  has  a  cyber  capability 
(equivalently,  the  other  side  is  the  only  one  that  suffers  from  a  cyber  infection).  In  Figure 
14  one  side  (Red)  has  one  cyber- infected  unit  initially,  and  there  is  asymmetry  in  the 
initial  conditions  of  the  conventional  combat.  We  can  see  how  the  cyber  effect  changes  the 
total  force  sizes  of  Blue  and  Red. 

Figure  13  and  Figure  14  clearly  shows  that  a  single  infected  unit  may  have  a  large 
effect  on  the  battle  outcome. 

Of  course,  it  is  not  the  presence  of  a  cyber  capability  alone  that  leads  to  victory, 
but  that  may  be  an  advantage  of  one  side  over  the  other.  Figure  16  shows  the  case  where 
both  sides  have  an  identical  cyber  capability;  in  this  case,  the  model  parameters  are 
symmetric,  and  the  battle  is  again  a  draw. 


39 


NUMBER  OF  SURVIVORS  NUMBER  OF  SURVIVORS 


Parameters 

Initial 
number 
of  the 
Force 
(B,Z) 

Initial 
number  of 
susceptibles 
(5b, 

Initial 
number  of 
Infected 
0b>  h) 

Initial 
number  of 
Recovered 
(.Rb.Rz) 

Attrition 

rate 

normal 

iPu’Pu) 

Attrition 

rate 

degraded 

(PdiPd) 

Infection 

spread 

rate 

i^B’  ^z) 

Infection 

patch 

rate 

(Vb.Vz) 

Blue 

1000 

950 

0 

50 

0.10 

0.01 

0.0050 

0.0005 

Red 

1000 

950 

0 

50 

0.10 

0.01 

0.0050 

0.0005 

TINE 


Figure  13.  No  initial  infection  of  Blue  or  Red. 

In  this  battle,  initial  parameters  are  the  same  for  both  sides.  Since  two  sides  are  symmetric, 
Red  and  Blue  annihilate  one  another.  There  is  no  cyber  effect  and  the  graph  shows  a 
conventional  aimed- fire  pattern.  The  battle  result  is  a  draw.  (Time  is  multiplied  by  10.) 
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NUMBER  OF  SURVIVORS  NUMBER  OF  SURVIVORS 


Parameters 

Initial 
number 
of  the 
Foree 
(5,Z) 

Initial 
number  of 
Susceptibles 

Initial 
number  of 
Infected 
Obi^z) 

Initial 
number  of 
Recovered 
{Rb.Rz) 

Attrition 

rate 

normal 

(Pu> Pu) 

Attrition 

rate 

degraded 

(Pdi  Pd) 

Infection 

spread 

rate 

^z) 

Infection 

patch 

rate 

(Vb.Vz) 

Blue 

1000 

950 

0 

50 

0.10 

0.01 

0.0050 

0.0005 

Red 

1000 

949 

1 

50 

0.10 

0.01 

0.0050 

0.0005 

0 


50 


100 


TIME 


Figure  14.  Minimal  initial  infection  on  one  side,  Red. 

In  this  battle,  initial  parameters  are  the  same  except  the  number  of  infected.  So,  we  can  see 
the  change  in  number  of  units  when  two  equal  (symmetric)  forces  fight,  and  one  side 
(Red)  is  infected.  The  battle  results  in  clear  victory  of  Blue.  (Time  is  multiplied  by  10.) 
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NUMBER  OF  SURVIVORS  NUMBER  OF  SURVIVORS 


Parameters 

Initial 
number 
of  the 
Force 
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Figure  15.  Minimal  initial  infection  on  both  sides. 

In  this  battle,  initial  parameters  are  the  same  for  both  sides,  again.  Two  sides  are 
symmetric.  Red  and  Blue  annihilate  one  another,  but  the  graph  shows  a  different  pattern 
from  a  conventional  aimed-fire.  The  difference  is  caused  by  the  infections  on  both  sides. 

(Time  is  multiplied  by  10.) 
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A  larger  initial  infection  on  one  side  accelerates  the  overall  infection  process  and 
limits  even  more  the  fighting  capability  of  that  infected  side.  Figure  16  shows  the  case 
where  =  50,  and  there  are  fewer  susceptibles  (so  the  overall  population  size  remains 
constant).  Figure  17  shows  the  similar  case  where  =  500,  all  other  conditions  being 
equal.  Although  the  infection  happens  faster,  the  overall  battle  time  does  not  change 
significantly,  and  the  results  are  qualitatively  the  same. 

Figure  18  considers  the  case  where  the  initial  infection  is  symmetric,  i.e.,  Ig  = 
Iz  =  1,  but  where  one  force  (Red)  has  a  larger  number  of  susceptibles,  and  therefore  an 
overall  larger  force  size.  In  this  case,  the  advantage  in  a  larger  initial  force  size  gives  Red 
the  victory,  despite  the  fact  that  a  larger  force  is  a  larger  target.  Greater  disparity  in  the 
initial  sizes  of  Blue  and  Red,  as  shown  in  Figure  19,  makes  the  result  even  more  dramatic. 
Specifically,  we  observe  that  between  Figure  18  and  Figure  19  there  is  about  9% 
difference  in  force  for  initial  conditions.  However,  the  results  of  the  battle  changed  in 
favor  of  Red  by  20%.  This  is  because  of  the  very  nature  of  aimed  fire. 
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Figure  16.  Increased  initial  infection  on  Red,  (50x). 

In  this  battle,  initial  parameters  are  the  same  except  for  the  number  of  infected  Red.  We 
increased  the  number  of  infected  by  50  times  to  see  the  difference.  We  see  that  Blue  wins, 
but  the  increase  does  not  change  the  outcome  or  time  of  battle  significantly.  (Time  is 
multiplied  by  10.) 
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Figure  17.  Increased  initial  infection  on  Red,  (500x). 

In  this  battle,  initial  parameters  are  the  same  except  the  number  of  infected.  In  the  case 
where  the  number  of  infected  is  increased  500  times,  we  see  that  Blue  wins  again,  but  the 
increased  level  in  infected,  the  outcome,  and  time  of  battle  does  not  change  significantly. 
(Time  is  multiplied  by  10.) 
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Figure  18.  Increased  initial  susceptibles  on  Red  (5%). 

In  this  battle,  initial  parameters  are  the  same  with  infection,  for  both  sides.  We  increase 
the  initial  number  of  susceptibles  (and  overall  unit  number)  for  Red  by  5%.  The  difference 
in  outcome  caused  by  this  increase  is  about  40%  of  initial,  and  is  significantly  higher  than 
the  input  resource.  (Time  is  multiplied  by  10.) 
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Figure  19.  Increased  initial  susceptibles  on  Red  (13%). 

In  this  battle,  to  compare  with  Figure  18,  we  increase  the  initial  number  of  susceptibles 
(and  overall  unit  number)  for  Red  by  13%.  The  difference  in  outcome  caused  by  this 
increase  is  about  60%  of  initial.  The  marginal  effects  of  initial  number  of  units  are 
decreasing,  but  still  significant.  (Time  is  multiplied  by  10.) 
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We  use  the  scenario  in  Figure  19  (symmetric  initial  infections,  but  a  larger  fighting 
force  for  Red)  to  explore  tradeoffs  in  other  model  parameters. 

In  Figure  20  we  decrease  the  patch  (recovery)  rate  from  0.0005  to  0.0003  (a  40% 
reduction  )  there  is  a  significant  change  on  the  number  of  survivors.  However,  in  Figure 
21  when  we  decrease  the  patch  rate  from  0.0005  to  0.0002  (a  60%  reduction),  we  see  that 
the  victorious  side  changes.  As  shown  in  Figure  22  with  a  patch  rate  of  .0002788  (a  45% 
reduction),  the  outcome  of  the  battle  is  a  draw.  So,  overall  a  45%  decrease  in  patch  rate 
has  approximately  the  same  effect  as  a  13%  decrease  in  force  level.  We  should  note  that 
these  estimates  are  for  given  parameters  on  given  points. 

In  Figure  23,  we  use  the  same  method  to  see  the  effects  of  the  spread  rate, 
however,  the  effect  of  the  spread  rate  is  not  very  significant.  The  marginal  effect  of  each 
additional  infected  unit  (on  the  battle  outcome)  decreases  as  initial  number  of  infected 
units  increase,  and  after  a  point  any  addition  to  spread  rate  or  initial  infected  unit  does  not 
affect  (insignificant)  the  overall  course  of  the  battle.  In  this  case  comparing  with  Figure  19 
increasing  the  spread  rate  by  160  times  is  not  enough  to  change  the  victorious  side. 

In  Figure  24  we  try  to  get  the  same  type  of  result  as  in  Figure  22  by  decreasing  the 
initial  number  of  recovered  this  time,  by  keeping  the  patch  rates  the  same  with  Figure  19. 
We  see  that  a  72%  decrease  in  number  of  initial  recovered  units  has  the  same  effect  as  a 
45%  decrease  in  patch  rates  or  13%  decrease  in  number  of  fighting  units,  for  given  set  of 
parameters. 
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Figure  20.  Increased  initial  susceptibles  and  40%  decreased  patch  rate  within  Red. 

In  this  battle,  to  compare  with  Figurel9,  we  decrease  the  patch  rate  for  Red  by  40%.  The 
difference  in  outcome  caused  by  this  decrease  is  about  40%  of  initial.  We  see  that  patch 
rate  affects  the  overall  course  of  the  battle  significantly.  (Time  is  multiplied  by  10.) 
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Figure  21 .  Increased  initial  susceptibles  and  decreased  patch  rate  within  Red. 

In  this  battle,  to  compare  with  Figure  19,  we  decrease  the  patch  rate  for  Red  by  60%.  The 
difference  in  outcome  caused  by  this  decrease  is  very  large.  We  see  that  patch  rate 
affects  the  overall  course  of  the  battle  significantly.  (Time  is  multiplied  by  10.) 
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Figure  22.  Increased  initial  susceptibles  and  decreased  patch  rate  within  Red. 

For  this  battle,  we  compare  with  Figure  15,  because  results  are  the  same.  Comparing  to  the 
initial  symmetric  battle,  we  increased  the  number  of  Red  units  by  13%,  and  decrease  the 
patch  rate  for  Red  by  44%.  The  battle  result  is  a  draw  again.  (Time  is  multiplied  by  10.) 
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Figure  23.  Increased  initial  susceptibles  and  increased  spread  rate  within  Red  (160x). 
For  this  battle,  we  compare  with  Figure  15,  because  results  are  similar.  Comparing  to  the 
initial  symmetric  battle,  we  increased  the  number  of  units  by  13%,  and  increased  the 
infection  rate  for  Red  by  160  times.  The  result  is  slightly  in  favor  of  Red.  So,  the  spread 
rate  does  not  affect  as  much  as  patch  rate  does  in  this  case.  (Time  is  multiplied  by  10.) 
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Figure  24.  Increased  initial  susceptibles  and  decreased  recovered  on  Red. 

For  this  battle,  we  compare  with  Figure  15,  because  results  are  the  same.  Comparing  to  the 
initial  symmetric  battle,  we  increased  the  number  of  units  by  13%,  and  decrease  the  initial 
number  of  recovered  for  Red  by  72%.  The  battle  result  is  a  draw  again.  (Time  is 
multiplied  by  10.) 


53 


4. 


Numerical  Exploration  for  Attack  Rates 


To  solve  the  differential  equations  numerieally,  we  used  the  programming 
language  “R”  (Ihaka  and  Gentleman,  1996)  as  the  main  software  with  the  DeSolve 
Package  (Soetaert  et  ah,  2010)  to  estimate  the  point  at  which  one  side  is  annihilated  (the 
root  of  one  of  the  two  equations).  No  step-size  was  declared  for  the  solver.  Due  to  the 
model  structure,  force  numbers  may  go  negative  unless  stopped  at  the  zero  boundary. 

Attack  rates  are  at  the  core  of  this  study.  It  is  the  common  parameter  linking  cyber 
and  kinetic  attacks.  The  victory  is  driven  by  the  result  of  the  kinetic  battle,  so  by  number 
of  units  ultimately.  The  result  of  a  kinetic  battle  is  driven  by  two  sets:  numbers  of  units, 
and  attack  rates.  However,  cyber  attacks  have  no  direct  effect  on  number  of  surviving 
units,  it  just  affects  the  attack  rates.  So  cyber  attacks  can  change  the  course  of  a  battle  by 
affecting  the  attack  rates. 

Attack  rates  are  assumed  to  be  constant  in  a  kinetic-only  battle,  as  in  original 
Lanchester  equations.  Cyber  operations  cause  these  rates  to  fluctuate  in  time  for  the 
deterministic  models.  We  have  shown  that  the  decrease  in  attack  rate  is  directly  related  to 
the  fraction  of  attacker  units  infected.  We  will  further  discuss  how  these  fluctuations  may 
affect  victory  conditions  and  how  cyber  operations  can  be  a  decisive  action  in  a  combat  in 
Section  IV. C. 8. 

We  showed  how  cyber  and  kinetic  attack  rates  can  change  by  shock  in  Chapter  III, 
in  a  discrete  manner.  This  chapter  explores  the  same  content  in  a  continuous  manner. 
Thus,  in  Figure  25,  we  see  how  one  cyber-capable  side  can  change  the  attack  rate  of  its 
adversary  over  time  with  the  mixed  epidemic  combat  model. 

Figure  26  shows  the  change  in  attack  rates  when  both  sides  have  cyber  attack 
capabilities,  and  gives  a  sample  for  the  interaction  between  them. 

Overall,  in  Figure  25  one  side  is  infected,  and  in  Figure  26  both  sides  are  infected. 
The  difference  between  Figure  25  and  Figure  26  is  what  we  explore  in  this  chapter. 
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Figure  25.  A  notional  attack  rate  graph,  Blue  is  under  infected  by  Red. 
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Figure  26.  A  notional  attack  rate  graph,  each  side  is  infected  by  the  other  side. 

In  Figure  27  we  can  see  that  P(t)  =  Py  —  (Py  —  (iy)  was  decreased  by  a  cyber 
operation,  and  p  is  constant.  Although  Red  here  has  a  significantly  lower  attack  rate  (p). 
Blue  attack  rate  can  be  forced  to  be  lower  than  p  depending  on  other  parameters. 
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With  optimum  cyber  capabilities,  Red  can  have  attaek  rate  superiority  for  long  enough, 
whieh  may  lead  to  combat  victory. 

The  underlying  situation  in  Figure  27  is  that  although  both  forces  start  with  the 
same  number  of  units.  Blue  was  infected  by  Red  immediately  after  the  battle  starts.  The 
infeetion  spreads  10  times  faster  than  it  is  eured  in  susceptibles,  but  Blue  forees  ean  patch 
both  infected  units  and  susceptibles.  The  infection  decreases  the  kinetic  attack  capability 
to  10%  of  initial.  The  infection  does  not  last  more  than  20%  of  the  battle  time  when  we 
run  the  model,  but  changes  the  result  of  the  battle. 
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Figure  27.  A  notional  attack  rate  graph.  Blue  is  under  cyber  attack  by  Red. 
Number  of  initial  units  in  this  figure  is  the  same.  Although  the  initial  kinetic  attack  rate  of 
Blue  is  significantly  higher  than  Red’s  attaek  rate.  Blue  is  quiekly  infected  by  Red.  The 
result  of  the  battle  is  a  draw. 


5,  Numerical  Sensitivity  Analysis  of  Parameters 

To  understand  the  effects  of  parameters  on  the  overall  battle  result,  we  numerically 
conduct  sensitivity  analyses.  Since  the  model  uses  several  parameters,  we  fix  each 
parameter  and  vary  two  of  them  each  time  to  have  a  two-dimensional  visual 
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representation.  This  approaeh  restriets  us  to  a  very  speeifie  range,  but  may  help  to  gain 
insight. 

We  represent  blue  eolor  when  Blue  foree  wins,  and  red  eolor  when  Red  foree  wins. 
The  parameters  are  fixed  as  Table  3  exeept  two  analyzed  ones,  whieh  are  speeified  in  the 
figure.  The  parameters  are  symmetrie  unless  stated  otherwise.  We  display  the  results  in 
Figure  29. 

When  eomparing  infeetion  spread  rates,  and  ^2,  the  result  is  intuitive.  We  use 
the  range  (0,  0.02)  for  both  parameters,  and  beeause  we  assume  two  symmetric  forces  in 
the  experiment,  depending  on  two  symmetric  parameters,  the  graph  is  also  symmetric.  So 
if  Blue  force  was  infected  by  a  more  powerful  infection,  then  the  spread  rate  in  Blue 
would  be  higher,  which  would  lead  Red  to  win.  The  same  conditions  apply  to  Blue. 

When  comparing  the  infection  spread  rate  of  Blue,  and  the  patch  (recovery) 
rate  of  Blue  ,r]B  ,  we  observe  a  non-linear  interaction  for  these  two  parameters.  Using  the 
range  (0,  0.004)  for  ijs  and  (0,  0.04)  for  we  see  that  has  a  dominant  effect  over 
The  underlying  reason  for  this  may  be  the  marginal  effect  of  which  decreases  when  the 
spread  rate  gets  larger. 

We  also  compare  the  infection  spread  rate  of  Blue,  and  the  patch  (recovery) 
rate  of  Red,  and  we  see  a  different  pattern.  These  two  parameters  may  seem  unrelated, 
but  in  a  highly-interactive  environment  they  should  be.  We  use  the  range  (0,  0.002)  for  rjz 
and  (0,  0.02)  for  ^g.  The  graph  shows  that  they  are  related  in  a  non-linear  way.  One  point 
to  consider  is  that  this  graph  is  not  symmetric,  and  parameters  have  different  effects.  The 
interaction  between  these  two  parameters  shows  that  these  two  parameters  affect  the  battle 
results  in  the  same  way.  Decreasing  any  of  these  parameters  will  cause  Blue  to  win.  Since 
we  can  explain  as  cyber  defensive  effectiveness  of  Red  and  ^g  as  cyber  offensive 
effectiveness  of  Red,  they  affect  the  battle  in  the  same  direction.  Also,  we  can  see  that  rjz 
has  a  higher  relative  threshold  than  ^g,  which  gives  the  same  result  with  the  analytical 
approach. 

Finally,  we  compare  the  number  of  recovered  Blue  (Rg)  with  number  of  infected 

Blue  (/g).  This  time,  unlike  the  other  three  comparisons,  we  compare  the  number  of  units 
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instead  of  rates.  We  use  a  range  (0,  200)  for  both  state  variables.  In  this  case,  the  number 
of  Red  forces  is  constant  and  equal  to  1000.  The  number  of  Blue  forces,  however  is  not 
constant  and  changes  due  to  other  state  variables.  Comparing  these  two  factors,  we  see 
another  non-linear  interaction.  The  interaction  between  these  two  state  variables  comes 
from  the  tradeoff  between  the  total  size  of  the  Blue  fighting  force,  and  the  effect  of  cyber 
attack  on  Blue.  Noting  that  initial  Red  size  is  constant  in  all  the  points  in  this  figure,  when 
infected  size  gets  larger,  the  total  fighting  force  gets  larger,  too.  This  affects  the  overall 
battle  result  in  favor  of  Blue,  even  if  elements  of  the  increased  force  are  infected. 


Parameters 

Initial 
number 
of  the 
Force 
(B.Z) 

Initial 
number  of 
Susceptibles 
(Sb,Sz) 

Initial 
number  of 
Infected 
Ub>  h) 

Initial 
number  of 
Recovered 
(Rb,Rz) 

Attrition 

rate 

normal 

iPu’Pu) 

Attrition 

rate 

degraded 

(PdiPd) 

Infection 

spread 

rate 

^z) 

Infection 

patch 

rate 

(Vb. Vz) 

Blue 

1000 

949 

1 

50 

0.10 

0.01 

0.0050 

0.0005 

Red 

1000 

949 

1 

50 

0.10 

0.01 

0.0050 

0.0005 

Table  3.  Base  parameters  for  numerica 


sensitivity  analysis  figures 


Figure  29  is  based  on  this  table.  The  range  of  parameters  are  specified  on  each  graph. 


- (e - 

Figure  28.  Numerical  analysis  pairs. 

Each  graph  uses  parameters  from  Table  3.  The  sensitivity  range  is  specified  on  each  graph. 
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6,  Dynamic  State  Equations 


Starting  again  with  equation  (4.11  -  4.18)  we  follow  the  steps  speeified  in 
Appendix  D  for  the  following  equation: 


— 

^0 


9, 


^0 


This  is  equivalent  to: 


c  B, 


c  = 


^0 

Bq  xIq) 


(4.23) 


(4.24) 


All  initial  states  (Sq,Iq,Rq)  belong  to  B.  Note  that  the  state  variables  and 
parameters  should  be  positive,  and  c  is  constant. 

Equation  (4.23)  and  equation  (4.24)  are  different  representations  of  the  model.  We 
keep  these  equations  for  different  interpretations. 

These  dynamic  state  equations  provide  a  solid  background  to  show  effects  of  cyber 
operations,  considering  the  given  spread  model.  We  should  keep  in  mind  that  B  is  the 

driver  here,  and  may  decrease  over  time  by  the  kinetic  effect.  So  as  the  ratio  —  drops  from 

Bo 

an  initial  value  of  1  and  approaches  0,  all  other  states  are  affected  by  this.  Without  an 

attrition  effect  on  B,  the  term  —  will  be  constant  (e.g.,  1),  and  the  other  states  will  be 

Bo 

balanced  by  these  equations.  If  we  know  or  model  the  change  of  ratio  —  by  an  outside 

Bo 

model  (i.e.,  kinetic  attrition),  we  can  understand  the  infection  level  at  any  time,  by  given 
initial  conditions. 

Equation  (4.23)  shows  a  clear  picture  for  changes  on  B.  Yet  it  represents  the 
changes  within  B  explicitly,  but  depends  on  other  factors  such  as  Z  for  overall  change  of  B 
(i.e.,  attrition).  If  we  use  the  assumption  of  “no  kinetic  battle,”  there  will  be  no  attrition. 
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and  —  is  1.  Also  assume  that  ^  =  r;.  In  that  case,  we  see  the  same  result  with  Schramm 
Bo 

and  Gaver  (2013)  closed  form  of  I(t),  which  uses  the  same  assumption. 

Equation  (4.24)  shows  that  the  ratio  of  B  to  Bq  is  inversely  related  to  the  ratio  of  / 
to  Iq  .  Again  the  ratio  of  B  to  Bq  is  directly  related  to  the  ratio  of  R  to  Rq  and  to  the  ratio  of 
S  to  Sq.  These  calculations  would  hold  outside  of  asymptote  limits.  With  this  equation  we 
see  that,  change  in  the  value  of  B  affects  Rg  ,  attack  rates,  spread  rates  and  patch  rates  in 
different  ways. 

Equation  (4.24)  supports  a  basis  for  a  cost  estimation  comparison  for  cyber 
operation  effects.  We  conclude  that  the  value  of  R  affects  the  overall  combat  proportional 
to  fraction,  whereas  the  ratio  of  rates  affects  the  combat  exponentially. 


7.  Cyber  Pandemic  Threshold 


The  maximum  time  of  infection  is  an  important  breakpoint.  We  will  discuss  this 
issue  further  in  this  section.  As  discussed  in  Schramm  and  Gaver  (2013)  under  the 
assumptions  P  —  p  =  0,  ^  —  rj  the  maximum  infection  time  is: 


-  ^  /  r  (-^0  +  ^o)  ^0  1 

I,  max  -2^Bq  (i?o+  Io)Ro  ^ 


(4.25) 


If  we  want  to  estimate  time  of  maximum  infected  ratio  from  the  start  of  the  battle, 
we  can  assume  that  Iq  «  Rq  «  Sq  ,  and  take  Iq  as  a  small  number  (e.g.,  1).  Approximating 
Bq  =  Sq  +  Rq  ,  that  will  lead  us  to: 


max 


HSo+  Ro) 


In 


R 


0  J 


In 


R 


0  J 


,Iq>0  (4.26) 


If  we  fix  the  fraction  ^  =  /c,  we  can  summarize  the  equation  as: 


max  — 


XkRQ 


ln[/c  —  1];  ln[k  —  1]  >  1 


(4.27) 
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We  can  interpret  this  equation  in  several  ways. 

First,  from  (4.26)  we  observe  that  decreases  inversely  as  rate  of  infection 

spread  rate  ^  increases.  That  means  if  ^  is  doubled,  t  will  be  14  of  the  original;  and  if  ^  is 
increased  by  10  times,  t  will  be  1/10  of  the  original. 

The  second  and  less  intuitive  result  from  Eq.  (4.25)  is  that  Rq  acts  the  same  way. 
So  if  the  initial  recovered  size  is  increased  by  10  times,  t  will  be  1/10  of  the  original,  also. 

Third,  the  ratio  of  — ^  is  also  important;  so  if  it  is  closer  to  one,  t  will  be  closer  to 

zero. 

In  most  cases  we  can  assume  to  have  Rq  «  Sq  and  /q  =1.  By  this  assumption  we 
can  see  how  well  maintained  (Rq)  (regular  updates,  virus  and  ID  protection,  etc.)  and 
poorly  maintained  units  can  degrade  the  response  to  a  cyber  attack,  thus  affecting  the 
combat  outcome. 

Another  way  to  approach  the  spread  of  infection  is  to  find  the  pandemic  (epidemic) 
threshold,  which  is  a  lower  limit  on  some  attributes  of  the  infection  and  the  cure  that 
indicates  how  the  spread  grows  throughout  the  population.  The  pandemic  threshold  differs 
for  each  epidemic,  and  is  an  indicator  to  foresee  when  the  epidemic  grows  and  when  it 
starts  to  shrink.  Using  a  differential  definition  of  cyber  infection  spread  to  original 
equation  in  (4.6),  we  can  summarize  the  situation  in  B  as  ; 


d/g 

dt 


(4.28) 


Thus,  the  threshold  is: 

^B^B^B  Vb^B^B  ^  ^B^B  Vb^B 

—  >  — 

^B  ^B 


(4.29) 
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Since  and  are  dynamie  in  nature,  we  can  interpret  that  the  infection  will 
grow  until  the  ratio  of  —  deereases  to  the  eonstant  As  was  explained  previously, 

Rb  SB 

when  ^  =  rj  is  assumed,  the  threshold  beeomes  >  Rb,  and  holds  with  former 
ealculations. 

Also,  we  can  interpret  that  the  infected  size  will  inerease  until  some  point  at  time, 
and  then  will  start  to  deerease.  The  time  that  the  sign  changes  is  and  we  ean  eome 

up  with  an  equation  as: 

In  most  cases  the  infeeted  side  may  not  know  the  spread  rate  of  the  infeetion.  But 
as  well  may  estimate  the  pateh  rate,  number  of  patehed  and  roughly  number  of 
suseeptibles.  So  assuming  that  infection  spread  rate  is  eonstant,  the  infeetion  will  spread  if 

^B>r]B^-  (4.30) 

In  this  case,  Eq.  (4.30)  says  that  —  aets  like  a  multiplying  faetor  for  the  pateh  rate. 

Sb 

When  r)B  —  is  larger  than  the  epidemie  starts  shrinking.  This  shows  that  regardless  of 
Sb 

the  pateh  rate,  if  a  foree  keeps  a  high  ratio  of  reeovered  units  or  low  ratio  of  suseeptible 
units  (i.e.,  by  eonstantly  updating  eyber  infrastrueture),  it  would  be  highly  unlikely  to 
spread  a  disease  and  eause  signifieant  degradation. 

8,  Cyber  Operation  Effects  on  Victory  Conditions 

We  explore  eyber  epidemie  combat  models  for  different  objectives,  but  the  main 
objective  is  to  be  able  to  understand  and  interpret  the  effects  on  battle  outeome. 

To  set  the  base  for  victory  conditions,  we  will  use  the  number  of  survivors  in 

kinetie  eombat.  Thus,  the  dynamic  state  equation  of  kinetie  battle  ean  be  used  to  evaluate 

the  number  of  survivors.  So,  following  the  steps  from  (2.1)  and  (2.2)  we  see  the  elosed 

form  equation  as  (3  (Bg  “  =  p  (Zq  —  Z^)  by  Lanehester  (1916).  We  expeet  that  Blue 
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^1 2  ^1 2 

wins  if— >  (4)  ,  and  ends  in  a  draw  if  —  =  (4)  in  a  battle  without  cyber  effects. 

2o  V/?/  ’  Zo  KpJ  ^ 

We  will  use  the  same  steps  in  order  to  find  how  cyber  operations  affect  the  conditions  for 

victory. 


Using  B  as  the  number  of  remaining  Blue  forces  at  time  t,  Z  as  the  number  of 
remaining  Red  forces  at  time  t,  (3  as  the  effective  attack  rate  of  Blue  at  time  t,  and  p  as 
the  effective  attack  rate  of  Red  at  time  t,  we  can  estimate  victory  conditions  at  time  t.  Note 
that  this  is  a  dynamic  process,  and  the  victorious  side  can  change  during  the  battle  time, 
depending  on  given  parameters.  The  intention  here  is  not  to  estimate  the  winner  regarding 
the  initial  conditions  (which  is  not  possible  with  these  calculations),  but  is  to  understand 
how  these  parameters  affect  the  battle  results.  Also,  this  calculation  will  reveal  whether 
keeping  the  current  conditions  for  attack  rates  at  time  t  for  the  rest  of  the  battle  would  lead 
to  victory  or  not.  Blue  wins  the  battle  as  long  as 


(4.31) 


Another  important  question  is  how  long  one  side  must  keep  cyber  superiority  in 
order  to  win.  We  will  look  for  a  sample  situation  where  Blue  is  defeated.  Then  we  will 
increase  the  Blue’s  defensive  cyber  operation  effectiveness  (rj^)  to  see  if  Blue  is 
victorious. 


Following  figures  represent  a  sample  comparison  for  two  sides,  with  Blue  exposed 
to  cyber  operations.  Initial  force  ratio  is  1,  so  victory  of  forces  depends  solely  on  attack 
rates.  The  shaded  area  is  when  Blue  wins,  (respectively,  the  white  area  is  when  Red  wins), 
if  we  were  to  keep  Blue’s  attrition  rate  at  a  value  in  the  shaded  area  (respectively  the  white 
area)  for  the  remainder  of  the  combat. 

In  the  controlled  numerical  experiment,  we  keep  every  condition  the  same  and  set 
ris=  0.0002  for  Figure  29,  and  set  rjQ=  0.0003  for  Figure  30.  Surprisingly,  even  this  small 
change  can  lead  to  the  turnover  of  the  victory  in  the  battle.  Various  graphs  can  be 
produced  by  trial,  but  this  single  experiment  tells  enough  for  the  importance  of  cyber 
operations. 
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Figure  29  summarizes  the  attack  rates  for  a  kinetic  battle  which  Red  wins.  We  see 
that  Red  wins  the  kinetic  battle  when  the  infected  units  were  high  in  ratio  in  Blue,  because 
its  attacking  power  was  affected  significantly.  We  can  conclude  that  if  Red  is  able  to 
prevent  Blue  from  recovering  or  if  Blue  did  not  invest  in  cleaning  the  infection,  the  battle 
would  result  differently. 

Figure  30  summarizes  the  attack  rates  for  the  same  battle  (same  parameters)  when 
Blue  was  able  to  increase  its  cyber  infection  patch  rate  by  50%  and  win  the  kinetic  battle. 

Shaded  regions  are  the  conditions  (at  time  t)  where  Blue  is  victorious  at  the  end  of 
the  battle,  and  white  regions  are  for  Red. 

These  discussions  are  intended  to  answer  some  questions  about  the  effects  of  time 
of  shock,  time  of  recovery,  and  the  size  of  the  forces  at  these  times.  We  explored  what  can 
affect  victory  conditions,  but  the  methods  used  in  this  chapter  represent  just  one  way  to 
uncover  these  questions,  and  there  are  various  other  ways  to  do  it.  We  have  assumptions 
regarding  to  epidemic  model  and  combat  model  which  affects  the  course  of  discussions. 
Specific  scenarios  used  for  numerical  experiments  explain  proposed  models  in  these 
specific  conditions.  There  are  various  ways  to  change  and  extend  the  topics  discussed  in 
this  section,  and  we  will  give  some  examples  in  next  chapter  for  several  different  model 
types  that  can  be  explored  in  similar  ways. 
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Parameters 

Initial 
number 
of  the 
Foree 
(B,Z) 

Initial 
number  of 
susceptibles 
(Sb,Sz) 

Initial 
number  of 
Infected 
(^B>  h) 
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number  of 
Recovered 
(Rb,Rz) 

Attrition 

rate 

normal 

iPu’Pu) 

Attrition 

rate 
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Figure  29.  Change  of  attack  rates 
(Time  is  multiplied  by  10.)  (  i/b=  0,0002), 
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Parameters 

Initial 
number 
of  the 
Force 
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number  of 
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number  of 
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Figure  30.  Change  of  attack  rates  with  50%  increased  effective  infection 
patch  rate  for  Blue  (Time  is  multiplied  by  10.)  {i]b  =  0-  0003), 
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V.  PROPOSED  EXTENSIONS  TO  DISCUSSED  MODELS 


In  Chapter  IV,  we  explored  some  of  the  attributes  of  the  basic  cyber  epidemic 
combat  model.  In  this  chapter,  we  consider  different  attributes  of  a  cyber  attack  process 
and  try  to  expand  the  model  along  with  these  considerations.  In  order  to  combine  the 
kinetic  battle  with  cyber  operations,  the  model  discussed  in  Chapter  IV  needs  to  be 
adjusted  time-wise.  This  is  because  events  can  happen  faster  in  cyberspace  as  compared  to 
kinetic  space  (Andress  and  Winterfeld  2013).  In  other  words,  we  differentiate  cyber  time 
with  kinetic  battle  time.  We  use  scaled-cyber  time  in  the  study  first  to  introduce  new 
aspects  with  normalized  values,  and  non-scaled  cyber  time  after  that  for  time 
considerations.  These  models  propose  only  a  way  to  represent  a  certain  attribute,  and  there 
are  several  more  ways  to  model  these  attributes,  and  also  there  are  several  more  attributes. 

As  discussed  in  Schramm  and  Gaver  (2013)  and  explained  in  Andress  and 
Winterfeld  (2013)  time-scale  can  be  an  issue  when  combining  kinetic  attacks  and  cyber 
attacks.  We  categorize  the  extensions  into  two  main  parts;  as  scaled  time  discussions,  and 
non-scaled  time  discussions.  Time  scale  especially  affects  dynamic  calculations,  which 
were  discussed  in  Chapter  IV.  The  calculations  for  cyber  infection  spread  may  be  even 
unnecessary  because  of  the  different  time  scales  with  cyber  battle  and  kinetic  battle.  If  the 
cyber  infection  time  is  not  in  sync  (or  not  scaled)  with  kinetic  battle  time,  this  will  cause 
two  possible  outcomes:  either  the  kinetic  battle  outcome  is  dominated  by  infection 
regardless  of  changes  in  rates  and  numbers,  or  it  is  not  affected  at  all.  In  contrast,  if  the 
kinetic  battle  time  is  scaled  to  cyber  time,  the  battle  will  be  affected  anyway,  but  the  effect 
will  be  dependent  on  some  factors,  such  as  infection  spread  rates,  number  of  infected 
units,  etc. 

Although  we  proposed  various  extensions  to  the  basic  model  in  this  chapter,  such 
as  adding  different  intrusion  times,  defense  capabilities  or  adding  a  second  type  of 
infection  to  the  system,  due  to  time  constraints  in  this  study  we  leave  it  to  the  reader  to 
obtain  numerical  results.  Saying  that  these  are  some  proposed  models,  intended  to  explain 
some  different  aspects  of  cyber  operations,  these  extensions  need  to  be  analyzed  both 
analytically  and  numerically  in  detail. 
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A. 


SCALED  CYBER  TIME  -  KINETIC  COMBAT  TIME 


In  this  part,  we  explore  different  extensions  to  the  base  model,  construeted  in 
Chapter  IV.  We  introduee  different  eoeffieients  and  modifications  to  the  model  depending 
on  attack/  defense  type.  We  introduce  one  expression  for  each  model  on  top  of  the  base 
model.  These  extensions  work  properly  if  all  states  are  positive.  For  purposes  of 
exposition,  we  suppress  time-dependence  notation,  e.g.,  =  5^(1).  Note  that  these 

figures  show  only  positive  values.  Signs  can  he  determined  hy  the  direction  of  flow, 

1,  The  Base  Case 

As  a  reminder  to  the  reader,  here  we  summarize  the  model  and  parameters  in  the 

base  case  scenario  from  Chapter  IV.  We  then  extend  the  base  case  scenario  by  introducing 

new  terms  to  represent  different  scenarios  of  interest. 

B  :  level  of  Blue  force  at  time  t 

Z  :  level  of  Red  force  at  time  t 

:  Infection  spread  rate  within  B 
rjg  :  Infection  patch  rate  within  B 

•  Infection  spread  rate  within  Z 
rjz  :  Infection  patch  rate  within  Z 

Pu,  Pb  ;  Normal  attack  rate,  and  decreased  (by  infection)  attack  rate  of  Z  on  5 

Pu,  Pj)  :  Normal  attack  rate,  and  decreased  (by  infection)  attack  rate  of  5  on  Z 


Figure  31.  A  two-sided  Cyber  epidemic  combat  model. 
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2. 


Intrusion  Rate 


In  Chapter  IV,  we  explored  the  importance  of  the  first  infection  on  the  overall 

system  dynamics  and  battle  outcome.  We  now  introduce  a  new  term  to  represent  this 

initial  infection.  Specifically,  we  define  the  following. 

:  Infection  start  (intrusion)  rate  within  B 
9z  :  Infection  start  (intrusion)  rate  within  Z 


Figure  32.  A  two-sided  Cyber  epidemic  combat  model  with  intrusion  rates. 

The  new  term  9^  represents  the  intrusion  rate  to  Blue  in  order  to  start  an  infection. 
This  is  a  crucial  term  to  estimate  effectiveness  of  defensive  actions  of  B  and  can  be 
estimated  from  real  data  on  cyber  penetration  tests  on  combat  units. 

The  Blue  Forces  is  infiltrated  and  infected  at  the  rate  of  9^  in  a  given  timeframe. 
Since  penetration  is  the  toughest  part  of  a  cyber  attack,  this  rate  is  different  from  the 
spread  rate  and  in  general  should  be  much  smaller. 

We  formulate  the  dynamics  for  the  one-sided  model  only  to  simplify  this  process; 
the  other  side  will  be  symmetric. 
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=  -pz 


(5.1) 


dB 

dt 


dSn 


dt 


dB  5g 

~  Vb^b^b)  + 


(52) 


diB 

dt 


C+^B^B-^B  +  ^B^B 


dB  /g 

’1bIi!Rb)+-j^j 


(S.3) 


dR 


B 


dt 


dB  i?g 

i+VB^B^B  +  Vb^B^b)  + 


(5.4) 


We  may  use  intrusion  rate  in  our  model  for  a  more  realistic  approach.  In  real 
world,  unlike  in  our  model  in  chapter  IV,  the  first  infected  unit  can  be  found  and  patched 
before  spreading  the  infection  in  the  adversary,  which  would  affect  the  course  of  the 
battle.  On  the  other  hand,  there  would  be  multiple  intrusions  in  a  cyber  attack  to  make  sure 
the  infection  spreads.  We  may  represent  these  two  actions  with  0g. 

Second,  representing  the  intrusion  rate  separately  will  allow  us  to  assess  how  it 
affects  a  cyber  attack.  Note  that  there  are  special  designed  simulations  to  represent  cyber 
intrusion  to  systems.  So,  gathering  data  and  comparing  the  model  with  the  data  is  an  area 
of  interest,  which  is  very  applicable. 
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3. 


Defense  Rate 


A  cyber  defensive  action  can  be  modeled  in  different  ways,  depending  on  the 
nature  of  the  cyber  operation.  The  main  subdivisions  can  be  passive  defense  and  active 
defense.  We  propose  two  different  approaches  for  these  two  types  of  defensive  actions. 

a.  Constant  Defense  Rate 

In  the  context  of  a  mixed-epidemic  model,  passive  defense  means  that  B  can 
reduce  the  spread  of  an  infection  at  a  constant  rate  using  passive  defensive  actions,  i.e., 
firewall,  automated  virus  protection  programs,  automated  network  transfer  reductions,  etc. 
These  actions  generally  use  automated  procedures  with  dedicated  resources  or  out¬ 
sourcing.  We  assume  these  actions  do  not  affect  the  kinetic  attack  rate,  are  not  related  to 
the  number  of  fighting  units,  and  are  reducing  the  spread  as  a  constant  rate  alone,  if  that  is 
positive.  To  reflect  this  dynamic  in  our  system  equations,  we  introduce  the  following 
terms. 

Yb  :  Threat  detection  rate  ofB 

Yz  :  Threat  detection  rate  ofZ 


Figure  33.  A  two-sided  Cyber  epidemic  combat  model  with  constant  defensive  action. 
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Again,  we  formulate  one-side  to  simplify  the  exposition,  with  the  other  side 
symmetrie. 


dB 

dt 


-pZ 


(5.5) 


dSg  dB 

—  =  (-(sSbIb  +Yb-  VbSbRb)  +-^-^ 


(5.6) 


dlfi  dB  /d 

“  7b  “  Vb^bRb)  + 


(5.7) 


dRg 

dt 


dB  Rb 

i+VB^B^B  +  VbRb^b)  + 


(5.8) 


Note  that  the  intention  here  is  adding  the  model  the  effects  of  automated  processes 
for  cyber  systems.  These  processes  require  a  certain  amount  of  resource,  which  will  be 
used  to  reduce  the  spread  of  infection.  Also,  if  the  infection  spread  is  not  fast  enough  and 
if  it  does  not  consume  all  of  these  automated  resources,  these  will  be  used  to  clean  the 
infected  units.  Cleaning  the  infection  by  an  automated  process  is  not  patching  the  unit,  but 
is  taking  away  the  degrading  effect,  so  that  these  units  are  susceptibles  and  can  be  infected 
again,  until  patched  by  an  R.  This  model  works  if  1b,  Rb  >  0. 
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b.  Active  Defense  Rate 

In  contrast  to  passive  defense,  aetive  defensive  actions  generally  use  some 
resourees  related  to  the  fighting  foree,  and  the  use  of  these  resources  detraets  from  the 
kinetic  capability  of  the  foree.  To  be  more  speeific,  aetive  defense  of  Blue  constricts  use 
of  cyber-related  parts  (i.e.,  eommunication  devices,  navigation  devices,  headquarter 
eomputers)  in  order  to  reduee  the  spread  of  infeetion  in  Blue,  which  slows  down  the  eyber 
infeetion  spread  as  well  as  slowing  down  the  pateh  updates  in  Blue.  However,  this 
measure  reduees  the  kinetie  attaek  rate  of  Blue  also,  because  the  cyber  defender  (Blue) 
restrietion  of  use  of  eyber-related  parts  may  as  well  reduce  fighting  eapability  of  eyber 
defender  as  well  as  redueing  spread  of  eyber  infection. 

Tb  :  Information  process  rate  ofB  (0  <  Tb<  1) 


Figure  34.  A  two-sided  Cyber  epidemie  combat  model  with  dynamic  defensive  action. 
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dB  dZ 

^=-pZ.  ^=-PBT,  (S.9) 

dSg  dB  5g 

”d£~  ~  “  Vb^b^b)  Tq  +  —  (5.10) 

diB  dB  Id  \ 

=  {+(s1bSb  -  VbIbRb)  Tb+-^j  (5-11) 

IRb  dB  Rd 

=  (+VbRbSb  +  VbRbIb)  Tb+-^y 

dSv  dZ  Sy 

”d£~  ~  ^~^zRzh  ~  Vz^zRz)  +  'Y  (5.13) 

diz  dZ 

=  (+(zlz  Sz  -  Vzh  Rz)+Yii  ^  ^  ^ 

dRz  dZ  Ry 

~YC  ~  ^'^VzRzRz  +  VzRzh)  +  (5.15) 


The  variable  defense  rate  of  Blue  (Tb)  models  the  information  proeess  rate  in  ease 
of  a  eyber  attaek.  If  the  infeetion  spread  is  high,  reducing  the  process  rate  to  0  will  stop  the 
spread  of  the  infection,  and  the  cure  of  the  infection,  and  can  be  considered  at  max 
protection  from  a  cyber  attack  level  with  a  trade-off  on  reducing  communication,  and 
decreasing  the  kinetic  attack  rate  to  0.  Keeping  the  rate  at  1  will  not  have  any  effect  on 
cyber  attack  and  can  be  considered  as  weakest  cyber  protection,  but  the  kinetic  attack  will 
not  be  affected  by  reduced  information  process,  also. 
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4,  Intelligence  Level  of  Cyber  Attacker 


We  are  interested  in  the  situation  where  an  attacker  (Red)  has  an  intelligence  level 
of  which  members  of  Blue  are  in  state  R  in  defender  (Blue).  So,  the  attacker  wants  to  aim 
for  just  for  those  Blues  that  are  in  state  R  instead  of  overall  Blue  forces,  to  not  to  kill 
infected  units  and  susceptibles.  We  introduce  a  new  expression  (/rg)  to  model  this 
situation. 

The  expression  represents  the  level  of  intelligence  distinguishing  Rg.  So,  if  jUg 
is  set  to  0,  it  means  that  the  attacker  has  no  specific  information  about  Rg  and  aims  at  Blue 
as  a  whole  as  in  the  basic  model.  If  /rg  is  set  to  1,  it  means  that  the  attacker  has  perfect 
information  about  Rg  and  aims  only  at  Rg,  and  causes  no  attrition  on  Rg  or  /g.  Any 
intelligence  level  between  0  and  1  can  be  used  in  the  model. 

We  will  formulate  one  side  to  simplify  this  process,  and  the  other  side  will  be 
symmetric. 

^g  :  Attacker’s  intelligence  level  on  state  Rg  (0  <  ^g  <  1) 


0  Hg  intelligence  level  1 

Figure  35.  A  notional  figure  about  using  intelligence  level. 
Change  in  one  side  (Blue)  by  intelligence  level  is  represented 
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(5.16) 


dB 

dt 


-pZ 


^  =  {-(sSbIb  -  VbSbRb)  +  ^  ^ 

^  =  i+^BhSB  -  VbIbRb)  +  ^  (1  -  I 

dB  Rfj 

=  i+VBRB^B  +  VbRbIb)  +  Y  ^ 


This  model  can  be  used  to  represent  a  phase,  if  the  cyber  attacker  wants  to  spread 
the  infection,  and  the  intention  is  to  first  clear  the  recovered  units,  and  then  focus  on  to 
susceptible  units  and  infected  units.  This  may  be  the  case  when  the  adversary  has  a  limited 
size  of  recovered  units,  which  can  be  completely  killed  in  a  short  time. 

Another  use  area  may  be  the  one  if  the  cyber  attack  is  very  effective  about 
reducing  the  kinetic  capability  of  the  adversary,  and  can  spread  fast  enough,  but  the 
kinetic  attack  costs  (or  risks)  are  high. 

The  common  point  in  these  two  cases  is  the  aim  to  spread  the  infection,  whether  to 
collect  intelligence,  or  to  reduce  kinetic  attack  capability  of  the  adversary. 
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5. 


Use  of  White  Population  for  DDoS  Attack 


This  is  a  model  for  Distributed  Denial  of  Service  (DDoS)  attack,  which  uses 
infection  spread  in  another  network.  A  DDoS  attack  is  an  indirect  attack  type,  which 
intends  to  decrease  the  usable  capacity  of  communication  networks  by  sending  constant 
messages  and  by  generating  a  heavy  burden  of  unnecessary  message  traffic.  So,  DDoS 
networks  (or  botnets)  attack  a  given  target  with  brutal  cyber  force  as  a  physical  attack  and 
reduce  the  capacity  to  communicate. 

We  simplified  the  B  states  to  Working  (Wg)  and  Disabled  (Dg).  Dg  +  =  B  We 

assume  Disabled  B  cannot  communicate  any  other  units;  thus,  it  is  ineffective.  So,  Pd=  0 
in  this  case.  We  will  use  Pu  as  p. 

W Population  :  Cyber  attack  capability  (Being  used  unintentionally) 

Wq  :  Working  units  in  B 

Dg  /  Disabled  units  in  B 


Figure  36.  A  Cyber  epidemic  combat  model  with  DDoS  attack. 
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(5.20) 


dB 

dt 


-pZ 


dZ 

dt 


Pu(y^B) 


(521) 


dWn 


dt 


dB  Wb 

MbWbIw  +  VbWb)+-^-^ 


(5.22) 


dD 


B 


dt 


dB  Db 


(5.23) 


dSy^r 

dt 


(5.24) 


dl]fi/ 

dt 


{+(w^w^w  Vw^w^w) 


(5.25) 


dRy^r 

dt 


(_+Py\/RwSw  +  Vw^w^w) 


(5.26) 


Use  of  white  population  is  the  eheapest  and  the  most  eommon  way  conduct  a  cyber 
attack.  Also,  there  are  a  few  recent  incidents  in  real  world  that  shows  these  types  of 
attacks  can  be  used  with  a  kinetic  attack  (before  or  after  a  kinetic  battle  starts).  Modeling 
this  phenomenon  is  an  area  of  interest,  and  the  models  that  discussed  in  Chapter  IV  can  be 
modified  in  various  ways  for  further  research.  We  propose  one  way,  to  open  this  path  for 
the  discussions,  but  adding  different  attributes  and  modeling  different  phases  may  be 
necessary  along  with  using  these  models  on  real  world  data. 
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6. 


Smart  Cyber  Ammunition  Attack 


This  section  introduces  a  smart  cyber  ammunition  attack  model.  Unlike  previous 
models,  a  smart  cyber  ammunition  attack  can  be  used  to  kinetically  damage  a  cyber-aimed 
target.  In  this  model,  Red  does  not  have  cyber  capability,  and  Blue  conducts  a  smart  cyber 
ammunition  attack  by  using  two  different  types  of  infections  on  Red.  Consider  these  two 
infections  as  the  moving  parts  of  a  cyber  weapon,  which  only  works  together.  So,  they 
spread  in  stealth  and  do  not  affect  the  infected  unit’s  kinetic  capability.  In  this  case  for 
Red,  a  unit  is  disabled  permanently  (detonated)  with  a  rate,  which  is  the  detonation  rate 
referred  as  d,  when  two  infections  and  I2)  collide  on  the  same  unit  at  the  same  time.  So, 
if  a  unit  is  infected  with  one  of  these  infections,  then  two  options  appear:  it  would  be 
cured  for  good,  or  it  will  have  the  other  infection  and  detonate  with  a  rate.  These 
infections  do  not  have  any  effects  otherwise,  and  a  patch  for  one  infection  does  not  limit 
the  other  infection. 

To  create  a  smart  cyber  ammunition,  using  two  different  types  of  infections  may 
be  essential,  because  a  supply  chain  attack  would  be  conducted.  It  means  that  if  the  cyber 
attacker  (Blue  here)  uses  one  type  of  infection,  every  time  infected  part  is  used  in  a 
machine  (aimed  or  not),  it  will  be  detonated  with  a  rate,  which  may  cause  unwanted 
damage.  However,  using  two  types  of  infections  for  two  different  parts  would  limit  the 
risk  to  cause  an  unwanted  damage  to  a  very  low  level  (maybe  insignificant).  In  other 
words.  Blue  may  not  be  able  to  find  a  part  used  in  just  (aimed)  Red  units,  but  may  be  able 
to  find  two  parts  that  can  just  be  used  on  aimed  units  together,  and  detonate  aimed  Red 
units  with  a  cyber  attack  using  two  infections  that  spread  on  these  two  parts  . 

Since  this  is  a  stealth  weapon,  a  lower  detonation  rate  helps  to  hide  the  infected 
parts.  In  other  words,  if  we  set  5  to  .99,  each  time  these  two  parts  used  together,  there  is  a 
.99  chance  to  cause  a  cyber  attack.  However,  this  may  not  be  desirable  if  the  intention  is  to 
confuse  the  users  of  these  parts.  It  would  be  an  obvious  evidence  if  the  cyber  weapon 
activates  each  time  these  two  parts  are  used  together,  so  we  want  to  randomize  that 
process  and  choose  a  probability  to  activate  these  infections  depending  on  the  tactical 
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approach.  If  Blue  keeps  the  detonation  rate  low,  it  will  cause  Red  to  use  less  resources 
about  cyber  protection  (e.g.,  772  =  0)  and  will  help  to  spread  these  infections  easier. 


S  ;  Infection  detonate  rate  (0  <  5  <  1) 


Figure  37.  A  smart  cyber  ammunition  model . 
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We  see  a  new  eoneept  in  eyber  attack  in  this  case.  The  cyber  attacker  causes 
kinetic  damage  on  the  adversary  with  only  using  cyber  force.  Since  there  are  some 
incidents  like  this  in  real  world,  this  concept  is  in  an  area  of  interest.  The  proposed  model, 
however,  is  just  a  glimpse  on  the  topic,  which  has  a  variety  of  aspects  and  ways  to  model, 
and  needs  detailed  discussions. 
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B,  TIMELINE  LIMITATIONS  FOR  PARAMETERS 

In  Figure  38,  we  summarize  a  cyber  attack  process  on  a  timeline.  Each  parameter 
models  different  types  of  effects  on  different  phases  of  the  process.  Red  labels  are  the 
attack  phases  for  the  cyber  attacker,  and  blue  labels  are  the  defensive  phases  for  the  cyber 
defender.  These  phases  are  discussed  in  Appendix  B  in  detail.  Peace  represents  the  period 
before  and  after  a  cyber  attack,  the  phase  without  cyber  considerations.  Access  represents 
the  action  of  infiltration  to  the  system,  by  injecting  the  first  infection  (1=1).  The  time 
between  these  two  phases  is  considered  as  t^,  which  includes  reconnaissance,  gathering 
information  and  conducting  intrusion  techniques.  Escalation  represents  the  period  after  the 
intrusion,  until  the  Assault.  This  phase  is  considered  as  t2  +  t3.  Assault  represents  the 
action  when  cyber  attack  affects  kinetic  world,  which  may  be  a  process  (from  to  the  end 
of  the  battle)  or  a  shock  (when  the  infected  ratio  is  at  a  desired  level).  Escalation  phase  is 
considered  in  two  parts  as  from  the  side  of  defender.  t2  which  is  the  period  until  the  cyber 
defender  detects  the  vulnerability,  and  t3  which  is  the  period  until  the  defender  publishes  a 
patch.  Then  the  recovered  units  start  to  work  until  the  cyber  battle  is  over,  which  is  the 
period  represented  as  The  introduced  terms  are  represented  in  the  timeline,  to  be  more 
specific  about  where  we  can  start  using  these  parameters  within  a  cyber  attack  scheme. 

The  time  phases  are  explicitly  mentioned  because  although  the  model  in  Chapter 
IV  covers  a  cyber  attack  needs  a  larger  period  of  time.  The  proposed  extensions  are  one 
way  to  represent  and  explore  these  phases. 

Now  consider  that  we  have  some  limited  resource,  and  we  allocate  this  to  decrease 
some  of  these  phases.  So,  “How  does  increasing  intrusion  time  affect  the  cyber  attack?”  or 
“What  is  the  effect  of  detecting  vulnerability  earlier?”  are  questions  of  interest,  but  we 
limit  the  scope  of  this  study  to  and  the  effects  of  Assault  considering  infection 
effectiveness  and  defense  effectiveness. 
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Figure  38.  The  range  of  parameters  in  a  eyber  attaek. 


C.  NON-SCALED  CYBER  TIME  -  KINETIC  COMBAT  TIME 

In  this  part,  we  will  explore  two  types  of  cyber  situations  which  cause  instant 
effects  on  kinetic  battle.  For  these  two  cases,  we  do  not  need  to  go  into  detail  and  estimate 
infection  spread  rates  or  numbers.  The  reason  is  that  the  outcome  for  kinetic  battle  would 
be  the  same,  and  regardless  of  spread,  we  can  assume  that  the  attack  rate  drops  down  from 
Pu  to  Pd  instantly,  after  a  certain  point. 

The  first  case  is  about  the  effects  of  infection  spread  and  patch  rates,  which  may 
cause  to  dominate  cyber  battle  or  kinetic  battle  The  second  case  is  about  the  effect  of  a 
high  value  target,  which  may  change  the  kinetic  attack  rate  of  the  force  only  by  itself  if 
infected. 
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1.  High  Spread  Rates  and  Patch  Rates 


We  will  use  the  time  seale  from  Sehramm  and  Gaver  (2013)  as  a  reference  point  to 
separate  the  cases  in  which  cyber  effects  such  as  spread  rates  (i.e.,  are  too  fast  and 
affect  the  kinetic  battle  instantaneously.  In  the  same  manner,  cyber  effects  can  be  too 
small  and  ineffective  if  the  patch  rates  (i.e.,  rj)  are  too  fast.  There  are  two  possible 
outcomes: 

First  case  is  when  the  condition  discussed  in  Schramm  and  Gaver  (2013)  holds: 

SUs(iPu-M»^PuZip.  (5.36) 

This  means  too  fast  cyber  time  for  the  kinetic  battle.  So,  in  case  of  a  shock,  cyber 
operation  result  is  effective  by  t*  on  kinetic  battle.  The  result  of  this  attack  depends  on  one 
condition.  The  condition  is: 

hs  «  ■ 

That  means  the  infection  has  too  high  spread  rate,  and  at  time  t*  attack  rate  will 
change  to  This  causes  a  shock  effect  as  described  in  Chapter  III. 

Or  the  other  way,  the  condition  does  not  hold, 

Vb  »  ^B  ■ 

Meaning  that  the  patch  rates  are  too  high  for  the  infection  to  spread  (or  survive),  so 
at  time  t*  attack  rate  does  not  change  from  Pu,  and  the  cyber  attack  has  no  effect  on 
kinetic  battle. 

Second  case  is  when  the  discussed  condition  (5.36)  does  not  hold: 

^0  ^B  iPu  ~  Pd)  «  4  Zq  P  . 


This  means  too  slow  cyber  time  for  the  kinetic  battle.  In  other  words,  kinetic  battle 
will  be  ended,  long  before  cyber  attack  has  an  effect  on  the  battle.  So,  in  this  case  cyber 
operation  result  is  not  effective  on  kinetic  battle. 
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2.  Single  Critical  Cyber  Target 


The  second  case  which  may  cause  an  instant  effect  is  when  the  force  under  cyber 
attack  (Blue)  has  a  crucial  target  that  gathers  and  controls  most  of  the  cyber  movements, 
which  creates  a  natural  bottleneck  for  cyber  infrastructure.  In  this  case,  the  spread  in  other 
units  can  be  ineffective,  but  infection  of  these  bottlenecks  can  affect  a  whole  network. 
Although  these  devices  are  secured  with  more  protection  layers  than  ordinary  units,  the 
protection  level  never  goes  to  100%,  and  infection  of  these  units  may  even  be  disastrous 
for  defenders.  In  these  cases,  headquarters  main  command  and  control  devices,  main 
communication  servers,  fire  control  and  flight  sync  units,  etc.,  can  be  possible  targets. 
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VI.  SUMMARY  AND  RECOMMENDATIONS 


We  provide  an  overall  summary  of  the  thesis,  followed  by  some  insights  derived  in 
this  study,  ineluding  recommendations,  which  may  help  to  support  decision  makers  in  an 
analytic  approach.  Future  research  combines  some  topics  in  a  sequence  that  will  help  to 
improve  and  validate  the  results  of  this  study,  and  extend  the  range  of  use. 

A.  SUMMARY 

In  cases  involving  cyber  incidents  there  is  an  unexpected  impact,  both  in  business 
and  the  military.  The  importance  of  cyber  operations  and  cyber  defensive  measures  are  not 
just  some  buzzwords,  as  recently  evidenced  by  the  U.S.  establishment  of  its  first  official 
“Cyber  Force,”  and  stated  cyberspace  as  a  main  domain  for  military  operations  along  with 
land,  air,  sea  and  space. 

This  thesis  is  motivated  by  the  need  to  understand  analytically  the  effects  of  cyber 
warfare  on  real  battles.  We  extend  two  recently  published  models  that  use  Lanchester 
equations  as  a  primary  model  for  combat.  Our  extension  of  the  model  by  Schramm  (2012), 
Lanchester  with  discontinuities,  can  be  used  to  model  physical  attacks,  supply  chain 
attacks  or  DDoS  attacks,  all  of  which  can  have  discontinuous  impacts  on  combat.  The 
second  model  of  Schramm  and  Gaver  (2013),  the  mixed  epidemic  combat  model,  can  be 
used  to  represent  viral  and  malware  attacks,  along  with  special  designed  cyber  tools.  The 
impacts  of  these  attack  concepts  can  be  gradual  or  continuous,  but  can  turn  into  a  shock 
effect  with  some  tactical  arrangements  such  as  event  or  time  triggers. 

Our  objective  is  to  answer  questions  about  the  impact  of  cyber  operations  on 
kinetic  battle.  Exploring  some  analytical  and  numerical  results  in  this  pursuit,  we  consider 
tradeoffs  between  the  model  parameters  to  answer  questions  like  “what  is  the  value  of  a 
cyber  unit?,”  “how  much  time  does  the  defender  have,  to  recover  to  not  to  lose?,”  or  “if 
one  side  faces  a  larger  force,  what  are  the  cyber  requirements  to  overcome  that 
advantage.”  Various  special  cases  depict  the  effects  of  battlefield  capabilities,  kinetic  and 
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cyber.  Cyber  eapability  can  potentially  diminish  the  attack  power  of  an  opponent  for  an 
arbitrary  but  decisive  time. 


B.  RECOMMENDATIONS 

The  results  from  the  shock  cyber  model  suggest  the  following  measures  to  reduce 
the  expected  loss  value  due  to  a  cyber  attack. 

First,  use  distributed  networks,  eaeh  in  control  of  a  limited  number  of  units,  or  use 
cloud  networking,  if  applieable.  As  the  force  size  which  is  susceptible  to  an  infection  gets 
larger,  the  loss  from  the  eyber  attack  will  get  larger.  So  the  cyber  effects  use  similar 
meehanics  as  with  Lanehester  square  law  foree  coneentration  rule.  But  unlike 
conventional  kinetic  battles,  for  a  cyber  attaeker  it  is  easier  to  cause  damage  to,  and  defeat 
a  larger  foree  eompared  to  defeating  two  smaller  forces. 

Secondly,  defensively  delay  the  opponent  cyber  attack  as  much  as  possible.  If  the 
cyber  attack  shock  can  be  delayed  from  time  t  to  time  2t,  the  effect  of  the  cyber  attaek 
reduces  to  %  of  the  eyber  effeet  at  time  t. 

Thirdly,  defensively  shorten  the  recovery  time  from  a  cyber  attack,  because  the 
duration  of  the  cyber  attaek  inereases  the  effects  of  that  attack.  If  the  duration  of  the  cyber 
effect  at  time  t  halves,  the  damage  by  cyber  attaek  ean  be  reduced  to  A  of  that  at  time  t. 

The  damage  caused  by  the  cyber  attaek  depends  on  its  effeetiveness:  reduction  of 
adversarial  kinetie  capability.  The  effectiveness  of  the  attack  can  be  reduced  by  increasing 
the  resilience  of  cyber  systems,  such  as  by  having  trusted  system  backup  points, 
rehearsing  system  resetting  to  a  baekup  point,  suitably  frequent  scans  for  probable 
intrusions,  along  with  logging  and  inspecting  network  traffic.  If  the  attaek  is  not  very 
effective,  the  defender  may  even  choose  not  to  alloeate  any  resources  to  recover  from  it. 

Results  from  the  eontinuous  eyber  effects  model  suggest  the  following  measures  to 
mitigate  a  eyber  attaek. 

First,  prevent  suceessful  attacks  by  decreasing  intrusion  rates,  establishing  seeurity 

layers,  training  for  cyber-awareness,  etc.  We  know  that  to  allocate  resourees  we  need  more 

detail  for  these  types  of  reeommendations,  because  the  defensive  costs  for  cyber  are  higher 
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than  to  attack  opponent.  Analytical  and  numerical  examples  show  that  defensive  actions 
may  be  more  effective  than  offensive  actions  in  cyber  operations.  We  provide  tools  to 
compare  and  analyze  these  tradeoffs. 

For  instance,  it  is  better  to  conduct  five  intrusions,  each  infecting  one  unit  in  the 
adversary  system  in  different  times,  than  it  is  to  conduct  one  intrusion  and  infect  five  units 
at  that  time,  assuming  that  all  are  using  the  same  infection. 

Secondly,  keeping  a  high  fraction  of  the  force  in  the  recovered  state  is  as  important 
as  having  a  high  patch  rate.  If  a  force  can  keep  the  cyber  security  of  its  units  updated,  the 
starting  conditions  will  be  in  favor  of  the  defender,  and  the  cyber  attack  can  be  stopped 
before  it  becomes  a  pandemic. 

These  insights  may  differ  for  specific  zero  day  vulnerabilities.  For  cases  in  which 
the  attacker  takes  the  risk  of  being  intercepted,  it  may  be  better  to  wait  to  for  a  promising 
level  of  infected  units  or  for  the  discovery  of  a  defender  vulnerability  to  launch  a  cyber 
attack.  The  above  phenomenon  is  not  currently  captured  in  the  models,  but  is  a  strong 
candidate  for  future  work 

C.  FURTHER  RESEARCH 

We  are  at  the  very  beginning  of  modeling  coordinated  cyber  and  kinetic 
phenomena.  Academic  literature  on  this  topic  is  still  fairly  young.  Since  there  are  various 
ways  to  use  and  extend  the  models  in  this  study,  we  have  started  from  basics.  In  this 
context,  future  work  can  be  focused  on  exploring  proposed  extensions,  or  adopting 
different  infection  spread  systems.  A  more  detailed  study  is  needed  to  explore  other  types 
of  cyber  attacks.  Adding  stochasticity  to  studied  models  and  validating  proposed  models 
with  real  world  data  are  two  main  courses  for  further  research. 
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APPENDIX  A.  DEFINITION  OF  TERMS 


These  are  the  term  definitions  published,  or  commonly  accepted,  and  generally 
used  with  the  same  meaning  outside  of  this  study.  We  refer  to  military  documents 
regarding  the  purpose  of  the  study. 


Navigation  warfare:  Deliberate  defensive  and  offensive  action  to  assure  and  prevent 
positioning,  navigation,  and  timing  information  through  coordinated  employment  of 
space,  cyberspace,  and  electronic  warfare  operations.  Also  called  NAVWAR.  (JP-3-14) 

Offensive  cyberspace  operations:  Cyberspace  operations  intended  to  project  power  by  the 
application  of  force  in  or  through  cyberspace.  Also  called  OCO.  (JP  3-12) 

Cyber  Capability:  Any  device  or  software  payload  intended  to  disrupt,  deny,  degrade, 
negate,  impair  or  destroy  adversarial  computer  systems,  data,  activities  or  capabilities. 
Cyber  capabilities  do  not  include  a  device  or  software  that  is  solely  intended  to  provide 
access  to  an  adversarial  computer  system  for  data  exploitation.  (API  5 1-402) 

Cyberspace  Operations:  A  cyberspace  operation  is  the  employment  of  cyber  capabilities 
where  the  primary  purpose  is  to  achieve  objectives  in  or  through  cyberspace.  Such 
operations  include  computer  network  operations  and  activities  to  operate  and  defend  the 
Global  Information  Grid.  (API  51-402) 

Computer  Network  Exploitation  (CNE):  Enabling  operations  and  intelligence  collection 
capabilities  conducted  through  the  use  of  computer  networks  to  gather  data  from  target  or 
adversary  automated  information  systems  or  networks.  (Joint  Pub  3-13) 

Cyber  (adj.):  Of  or  pertaining  to  the  cyberspace  environment,  capabilities,  plans,  or 
operations.  (Air  Porce  definition) 

Cyber  Capability:  Any  device  or  software  payload  intended  to  disrupt,  deny,  degrade, 
negate,  impair,  or  destroy  adversarial  computer  systems,  data,  activities,  or  capabilities. 
Cyber  capabilities  do  not  include  a  device  or  software  that  is  solely  intended  to  provide 
access  to  an  adversarial  computer  system  for  data  exploitation.  (API  51-402) 

Cyberspace:  A  global  domain  within  the  information  environment  consisting  of  the 
interdependent  network  of  information  technology  infrastructures,  including  the  Internet, 
telecommunications  networks,  computer  systems,  and  embedded  processors  and 
controllers.  (Joint  Pub  1-02) 

Cyberspace  Operations:  The  employment  of  cyber  capabilities  where  the  primary  purpose 
is  to  achieve  military  objectives  or  effects  in  or  through  cyberspace.  (Joint  Pub  3-0) 
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Cyberspace  Superiority:  The  operational  adyantage  in,  through,  and  from  cyberspace  to 
conduct  operations  at  a  giyen  time  and  in  a  giyen  domain  without  prohibitiye  interference. 
(AFDD  3-12) 

Cyberspace  Support:  Foundational,  continuous,  or  responsiye  operations  in  order  to  ensure 
information  integrity  and  ayailability  in,  through,  or  from  Air  Force  controlled 
infrastructure  and  its  interconnected  analog  and  digital  portion  of  the  battle  space.  (AFDD 
3-12) 

Defensiye  Cyberspace  Operations  (DCO):  DCO  direct  and  synchronize  actions  to  detect, 
analyze,  counter,  and  mitigate  cyber  threats  and  yulnerabilities;  outmaneuyer  adyersaries 
taking  or  about  to  take  offensiye  actions;  and  otherwise  protect  critical  missions  that 
enable  our  freedom  of  action  in  cyberspace.  (USCYBERCOM  Concept  of  Operations,  y 
1.0,21  Sep  2010) 

Defensiye  Cyberspace  Operations  (DCO):  DCO  direct  and  synchronize  actions  to  detect, 
analyze,  counter,  and  mitigate  cyber  threats  and  yulnerabilities;  outmaneuyer  adyersaries 
taking  or  about  to  take  offensiye  actions;  and  otherwise  protect  critical  missions  that 
enable  our  freedom  of  action  in  cyberspace.  (USCYBERCOM  Concept  of  Operations,  y 
1.0,21  Sep  2010) 

Global  Information  Grid  (GIG):  The  globally  interconnected,  end-to-end  set  of 
information  capabilities,  associated  processes  and  personnel  for  collecting,  processing, 
storing,  disseminating,  and  managing  information  on  demand  to  warfighters,  policy 
makers,  and  support  personnel.  The  GIG  includes  owned  and  leased  communications  and 
computing  systems  and  seryices,  software  (including  applications),  data,  security  seryices, 
other  associated  seryices,  and  National  Security  Systems.  (Joint  Pub  6-0) 

Information  Assurance  (lA):  Measures  that  protect  and  defend  information  and 
information  systems  by  ensuring  their  ayailability,  integrity,  authentication, 
confidentiality,  and  non-repudiation.  This  includes  proyiding  for  restoration  of 
information  systems  by  incorporating  protection,  detection,  and  reaction  capabilities. 
(AEPD  33-2,  Joint  Pub  3-13) 

Information  Superiority:  The  operational  adyantage  deriyed  from  the  ability  to  collect, 
process,  and  disseminate  an  uninterrupted  flow  of  information  while  exploiting  or  denying 
an  adyersary’s  ability  to  do  the  same.  (Joint  Pub  3-13) 

Offensiye  Cyberspace  Operations  (OCO):  The  creation  of  yarious  enabling  and  attack 
effects  in  cyberspace,  to  meet  or  support  national  and  combatant  commanders’  objectiyes 
and  actiyely  defend  DOD  or  other  information  networks,  as  directed.  (USCYBERCOM 
Concept  of  Operations,  y  1.0,  21  Sep  2010) 
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APPENDIX  B.  MODEL  ENVIRONMENT 


In  this  section,  we  describe  the  terms  and  the  concept  of  cyber  operations. 
Although  these  types  of  operations  widely  vary  by  nature,  we  use  the  most  general  form 
and  explain  the  cyber  warfare  by  phases  agreed  upon. 

Asymmetric  Threat 

According  to  the  DOD  Dictionary  of  Military  and  Associated  Terms  (JPl-02), 
asymmetric  means:  “In  military  operations  the  application  of  dissimilar  strategies,  tactics, 
capabilities,  and  methods  to  circumvent  or  negate  an  opponent’s  strengths  while 
exploiting  his  weaknesses.”  The  term  asymmetric  threat  is  used  when  the  threat  has  the 
potential  to  cause  damage  at  an  extraordinary  ratio  to  its  effort.  Effort  can  be  quantified  by 
its  cost,  information  requirement,  manpower,  access  to  resources  etc.  In  those  terms, 
terrorist  attacks  like  suicide  bombs,  lED/mine  threats,  guerilla  attacks  are  types  of 
asymmetric  threats. 

We  can  categorize  cyber  threat  as  an  asymmetric  threat,  because  of  its  impact 
regarding  its  effort.  In  cyberspace,  even  one  person  with  proper  skills  and  interest  can 
become  a  national  threat.  It  is  easy  to  cause  a  national  disaster  with  an  organized  cyber 
attempt.  When  this  effect  is  joined  with  kinetic  effects  in  battle,  its  multiplicative  effect 
will  boost  the  attacking  force. 

Cyber  Environment 

Anything  related  to  electronic  devices  can  be  affected  by  cyber  operations.  In  other 
words,  we  would  be  immune  to  a  cyber  operation  if  we  were  to  use  a  bow  to  hunt,  and 
only  use  candle  light  at  night.  But,  as  was  stated  before,  anything  electronic  or  related  to 
electronics  can  be  affected  by  a  cyber  operation. 

Cyber  Forces 

A  cyber  operation  typically  consists  of  the  following  elements: 

•  Specific  equipment:  Such  as  computers,  data  connectors,  input  devices. 

•  Specialized  personnel:  At  least  one  person  with  knowledge  and  training 
about  cyber  operations.  This  person  can  write  autonomous  programs,  which 
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are  able  to  work  independently,  but  we  need  a  eode-writer  before  that  eode 
eopies  itself 

•  Physieal  eontaet:  Even  with  speeifie  equipment  and  speeialized  personnel, 
we  may  not  be  able  to  eonduct  a  eyber  operation.  We  may  need  a  physical 
contact  with  the  target  network  and  special  equipment.  All  data  transfer 
assets  including  electromagnetic  spectrum  and  supply  chain  intrusion  can 
provide  this  contact. 

We  assume  these  three  requirements  are  physical  necessities. 

We  can  categorize  the  cyber  operational  forces  into  two  groups  as  Human 
Controlled  Program  (HCP)  and  Automated  Program  (AP).  Both  these  groups  need  to 
satisfy  physical  requirements  and  are  categorized  by  working  process.  We  use  APs  in  this 
study  as  a  cyber  threat,  because  it  is  more  commonly  used  in  larger  cyber  environments, 
and  HCP  works  like  the  APs  in  the  beginning.  HCP  is  used  in  cyber  operations  for  special 
units,  which  is  not  in  our  focus  in  this  study.  We  ignore  human-related  concerns  behind 
APs,  such  as  training  level  or  communication  skill,  and  just  focus  on  the  product  AP,  as  it 
can  work  independently. 

Non-combatant  units,  units  which  do  not  have  any  offensive  or  defensive  assets, 
can  be  categorized  as  white  population.  But,  even  white  units  can  be  controlled  with  any 
of  the  fighting  forces  without  approval  (or  notice)  of  the  white  user,  and  can  be  used  as  a 
reserve. 

Cyber  Weapons 

Cyber  weapons  are  special  programs  (tools)  used  as  weapons  in  cyberspace.  A 
human  may  or  may  not  be  necessary  to  use  this  tool,  meaning  that  tools  can  be  trigger 
activated,  or  pre-programmed,  or  use  basic  artificial  intelligence.  Also,  any  program  can 
be  equipped  with  disguised  tools  and  can  be  weaponized. 

Objectives  of  Cyber  Operations 

After  regulations  made  in  2010  concerning  cyber  forces  (Lynn,  2010),  we  assume 
that  the  cyber  domain  is  another  front  in  a  kinetic  combat,  one  which  requires  strategy, 
resources  and  tactics.  Although  cyber  operations  may  have  a  variety  of  objectives,  such  as 
stealing  information,  locking  data  (ransomware),  changing  data,  destroying  data,  slowing 
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down  communications,  slowing  down  systems  and  information  propagation,  etc.,  we  foeus 
on  slowing  down  eommunications  and/or  system  operations. 

Phases  of  Cyber  Operations 

We  can  generalize  the  cyber  operation  phases  by  using  the  attaek  phases.  The 
sequence  of  an  attaek  process  is 

•  Reeon, 

•  Scan, 

•  Access, 

•  Escalate, 

•  Exfiltrate, 

•  Assault, 

•  Sustain,  and 

•  Obfuscate. (  Winterfeld  and  Andress,  2012). 

Tasks  of  Cyber  Operations 

Cyber  operations  can  be  tasked  in  various  ways.  These  operations  may  be  limited 
to  cyber  spaee,  as  well  as  extending  to  physical  environments.  A  cyber  force  can  do  each 
of  the  tasks  below  to  eritieal  data  or  software,  which  indirectly  affects  adversary.  Also, 
these  tasks  ean  be  used  for  direct  attacks  in  order  to  shut  down  electrie  sources  and  grids, 
communieation  lines,  produetion  assets,  disrupt  or  change  control  measurements  to  cause 
a  critical  or  fatal  fault  on  mechanical  or  even  nuelear  parts  etc. . . 

Programs  can  execute  tasks  such  as: 

•  Attack, 

•  Block, 

•  Delay, 

•  Disrupt, 

•  Destroy, 

•  Isolate, 

•  Sereen,  and 

•  Withdraw. 
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Types  of  Cyber  Attacks 

Cyber  attacks  can  be  categorized  in  two  main  parts:  Logical  cyber  attacks  and 
Physical  cyber  attacks  (Andress  and  Winterfeld,  2013). 

Logical  cyber  attacks  use: 

•  Recon  tools, 

•  Scan  tools, 

•  Access  and  escalation  tools, 

•  Exfiltration  tools, 

•  Assault  tools,  and 

•  Obfuscation  tools. 

Physical  cyber  attacks  use: 

•  Supply  chain  attack  tools,  and 

•  SCADA  (Infrastructure)  attack  tools. 

Each  type  of  attack  uses  different  attributes  of  cyber  environments,  and  should  be 
modeled  separately.  So  we  introduce  different  models  for  different  attack  types. 

In  our  models,  we  use  the  fact  that  the  effect  of  a  cyber  attack  starts  with  the 
Access  phase.  Recon  -  Scan  phases  just  supply  intelligence  for  further  phases.  Also,  the 
damage  happens  in  the  Assault  phase,  where  the  action  happens.  The  Escalate  phase 
expands  the  reach  of  attack  as  much  as  possible,  whereas  the  Exfiltrate  phase  limits  the 
reach  in  order  to  adjust  the  focus  on  the  right  target.  Sustain  -  Obfuscate  phases  are  about 
erasing  any  trails  to  prevent  backtrack. 

In  order  to  model  a  realistic  scenario,  we  can  simplify  these  phases  into  three  as: 
Access,  Escalate  and  Assault.  In  this  case  we  assume  that  Recon  and  Scan  phases  were 
completed  before,  and  we  assume  no  evidence  of  the  phases  remains.. 

In  this  context,  for  any  type  of  cyber  attacks  (including  web  defacement  attacks, 
DOS  attacks,  zero-day  attacks,  malicious  code  attacks...)  for  a  closed  network  as  a 
military  network,  malicious  code  needs  to  be  used  for  access,  escalate,  or  assault  phases. 
We  use  epidemiology  to  model  cyber  infection  for  these  three  phases. 


96 


APPENDIX  C.  EXPLORING  EPIDEMIC  COMBAT  MODEL 

1.  Steps  to  Dynamic  State  Equations 

The  original  equations  from  Schramm  and  Gaver  (2013),  as  a  one-sided  model 
specified  in  (4.1)  -  (4.4); 

dZ 

dS  S 

dR  R 

-=i^sR+RRn- pzj^^rrr^. 

We  modify  this  one  sided  model  to  two  sided  by  adding  the  cyber  effect  to  both  sides 
numerically  as  in  (4.5)  -  (4.10): 

dS  S 

~  Vb^B^b)  ~  [Pui^Z  +  ^z)  +  Pd  Oz)]  Ti  „ 

at  Sg  +  Ig  +  Rg 

dip}  Ip} 

“  Vb^^b)  ~  [Pu(.^z  +  ^z)  +  Pd  Cz)]  t;  „ 

dt  Sq  +  +  Rg 

dR  R 

=  (+r]gRgSg  +  PB^Bh)  ~  [Pui^z  +  ^z)  +  Pd  Cz)]  ^ 

dS  S 

—  i~^z^zh  ~  Vz^z^z)  ~  [Pui^B  +  ^b)  +  Pd  Cb)]  ^  ^  ^ 

dly  ly 

—  C+^z^Z'^z  “  Vzh  ^z)  ~  [Pui^B  +  ^b)  +  Pd  Cb)]  ^  ^  ^ 

dR  R 

——  =  {+rjzRzSz  +  Pz^zh)  ~  iPui^B  +  ^b)  +  Pd  Ob)]  r  ,  j  ,  n 

dt  5^  +  /z  +  Rz 
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We  define  in  Section  IV. A  that 

•^5  +  =  5 

^z  ~  ^ 


We  define  in  (4.1 1)  and  (4.12)  that: 
dB 

—  ~Pu(.^z  +  ^z)  “  Pd  Oz)  > 
dZ 

~77  —  ~  +  ^b)  “  Pd  (.h)  I 


We  define  in  (4.21)  and  (4.22)  that: 
dB 


A  more  compact  form  is  represented  as: 

d5g  5g 

~  Vb^b^b)  ~  P  Z 

d/B  _  1b 

—  (+^B^B‘^B  “  VbIbUb)  ~  P  ^  ~g’ 

di?g  i?g 

—  (+r;gi?g5g  +  Pb^bIb)  ~  P  ^  > 

dSy  -  Sz 

—  i~^z^zlz  ~  Vz^z^z)  —  P  B  — , 

—  {d-^zh^z  ~  Pzh  Pz^  ~  P  B  —, 

dRz  -  Rz 

=  (+VzRzSz  +  VzRzIz)  -PB  Y- 
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We  use  the  form  as  in  (4.13)  -  (4.18)  to  manipulate  the  equations  on  one  side: 


dSg  dB 

—  =  C-^sSbIb  -  VbSbRb) 

d/g  dB  Ib 

—  =  (+^g/g5g  -  r7g/gl?g)  +^-^. 

di?g  dB  Rb 

-  (+%^B‘5’b  +  VbRb^)  + 

dSy  dZ  Sz 

—  =  (-^zSzIz  -  VzSzRz)  +  -^  y  > 

dlz  dZ  4 

"dF  ~  ~  FT  z ' 

di?7  dZi?z 

=  i+r]zRzSz  +  VzRzh)  +  ■ 


A  redueed  system  of  equations  for  the  Blue  side, 


d5g  dB  Sb 

—  =  (-^bSbIb  -  VbSbRb) 

dip!  dB  Id 

—  =  (+^g/g5g  -  jIbIbRb)  +  ^  5' 

di?g  dB  Rb 

—  =  C+VbRbSb  +  VbRbIb)  +-^Y- 


Note  that  from  here  we  refer  to  initial  states  of  Blue  with  representation 
(Sq,  Iq,  Rq)-  These  equations  are  not  equivalent  to  six  equations  in  (4.5)  -  (4.10). 

From  these  derive  equations  as: 


1  1 

—  d5g  —  —dB  —  (— ^g/g  —tJbRb^ 

Ob  d 


(5.37) 


1  1 

—  d/g  —  —dB  —  (+^g5g  —tjbRb^  dt 

1b  d 


(5.38) 


1  1 

S-dRB  --^dB  =  (+r7g5g  +  r/g/g)  dt 
Kb  d 


(5.39) 


99 


(5.40) 


By  subtracting  (5.38)  from  (5.37)  : 

1  1 

—  dSg  —  —dig  —  — +  Sg)  dt 


By  writing  (5.39)  in  the  same  form: 


1 

—  dRg 
Rb  ® 


-^dB  =  +r]g(Sg  +Ig)  dt 


(5.41) 


By  dividing  (5.40)  by  (5.41): 

1  1 

J-gdRg-  j;dlB  -^g(4+5g)  dt 

-^dRg-^  dB  (Sb  +  4)  dt 

Kb  ts 


After  caneellations  on  eaeh  side: 


—  dSg  —dig 


(5.42) 


By  integrating  both  sides  in  (5.42),  we  derive  the  equation: 

Sb  Sq  ^g  Rg  Rq 

ln(^)  -  ln(-^)  =  -^(/n(^)  -  /n(^)) 
h  h  Vb  o  Kq 


Whieh  leads  to: 


Rb 

•^0  Rb  IIr 
^0  Rq 
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We  modify  the  equation  as: 


In 


In 


Vb 


We  can  simplify  the  equation  for  Blue  as: 

Iq  _ 

^  A 

■?o  \  5o  / 


(5.43) 


For  5b,  /g,  >  0,  the  dynamic  state  equation  in  two  different  representations  as: 


Rb 


(5.44) 


(5.45) 


Note  that  all  initial  states  Sq,  Iq,  Rq?  parameters  rj  belong  to  B,  and  c  is  constant. 
These  calculations  were  represented  for  Blue  side  only,  but  can  be  calculated  for  Red  side, 
also. 

Consider  the  case  for  “no  kinetic  battle”  or  “no  attrition”  and  spread  rate  equals  to 
patch  rate.  In  that  case,  —  is  1  and  ^  =  rj.  These  assumptions  will  lead  the  equation  to: 

fo  ‘^0 

which  is  a  different  representation  of  Schramm  and  Gaver  (2013)  for  closed  form 
of  I(t),  which  uses  the  same  assumptions. 
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D,  Approximation  Calculations  to  Estimate  Cyber  Operation  Value 

1,  Scaled  Cyber  Time  -  Kinetic  Combat  Time 

We  used  the  equations  ^  =  Pu  —  —  Pd)  and  p  —  —  IziPu  ~  Pd)  foi" 

variable  attack  rates.  Figure  26  shows  how  the  attack  rates  may  change  by  time  when 
cyber  effects  are  considered.  Using  these  rates  as  functions  of  time  will  give  us  the  exact 
solution,  but  give  us  a  hard  time  to  solve  for.  To  simplify  the  process,  we  can  approximate 
the  result  by  using  a  constant  average  number  of  attack  rates.  Note  that  using  a  constant 
average  attack  rate  instead  of  calculating  whole  process  may  be  misleading,  because  we 
simply  ignore  the  variability  of  the  process  and  try  to  overcome  a  dynamic  process  by 
using  two  constant  numbers.  Flowever,  if  there  is  enough  data  for  the  effects  of  these  rates, 
using  average  numbers  can  be  safer,  and  will  allow  us  to  implement  different  types  of 
dynamic  models  into  large  simulation  models,  which  are  used  in  military  decision  making. 

Here  we  show  a  notional  simplified  example  by  comparing  two  battles;  in  Figure 
39  both  sides  have  cyber  capabilities,  and  one  side  (Blue)  is  using  kinetic  attack,  affected 
dynamically,  and  in  Figure  40  we  model  the  same  battle  with  a  constant  kinetic  attack  rate. 
Note  that  changing  the  parameters  will  change  the  situation,  and  the  constant  attack  rate 
should  be  re-evaluated.  These  average  attack  rates  will  approximate  to  real  battle  results, 
but  a  systematic  way  to  estimate  the  average  constant  attack  rate  is  beyond  the  scope  of 
this  study. 


Figure  39.  Force  levels  in  numerical  experiment 
iPu^0.1.PD  =  0-0^) 
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Time 

Figure  40.  Force  levels  in  using  average  approximation 
ip  =  0.075) 

2,  Different  Types  of  Models 

We  used  epidemic  models  and  kinetic  combat  models  and  combined  them  to 
explain  the  effect  of  cyber  operations.  It  is  important  to  point  out  that  the  infection  term  in 
epidemic  model  was  used  to  demonstrate  cyber  effects  in  a  battle  in  this  study,  but  in  fact 
this  term  can  be  used  in  different  ways. 

The  term  “Infection”  used  in  this  study  is  a  broad  term  which  can  be  used  for  any 
effect  that  reduces  a  force’s  warfighting  capabilities.  The  scope  of  examples  can  be  as 
broad  as,  propaganda  via  media  which  affects  a  force  psychologically,  chemical  or 
biological  weapons  which  affects  a  force  biologically,  terror  actions  which  damage 
infrastructure  etc.;  basically  all  kinds  of  asymmetric  threats.  The  scenario  in  this  thesis 
considers  malware  infection  on  electronic  devices,  but  the  model  can  be  used  in  much 
broader  cases. 
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